BlueCat strongly recommends clustering at least two HSM servers for failover and disaster recovery.
In the event that a failover is triggered on the primary HSM server, the secondary HSM server will be promoted to primary status. Once the primary HSM server resumes normal operation, however, BIND must be re-started in order to complete the failover from the secondary back to the primary HSM server. Currently, this is a limitation of the Entrust netHSM server hardware.