Energize-to-Trip vs De-energize-to-Trip in Functional Safety

In functional safety engineering, one of the first design decisions is how a safety function moves the system to a safe state. De-energize-to-trip and energize-to-trip have very different implications for fail-safe behaviour, diagnostics, and SIL compliance.

De-energize to Trip

A de-energize-to-trip safety system performs the safety function when energy is removed. The safe state occurs without the need for energy. This approach is based on the classic fail-safe design principle.

If something goes wrong — power loss, cable failure, controller failure, signal interruption — the system naturally moves to the safe state.

Example — spring-return shutdown valve

During normal operation, the solenoid valve is energized and instrument air holds the valve open. When a safety demand occurs, the solenoid de-energizes, air is vented, and the spring closes the valve.

Energize to Trip

An energize-to-trip safety system requires energy to perform the safety function. The system must actively apply energy to move to the safe state. If energy is lost, the safety function may not occur — meaning the system is not inherently fail-safe.

Example — motor-operated valve

Consider a system where a valve is closed during normal operation and the safety function requires opening the valve to relieve pressure. The system must energize the motor to open the valve when a hazardous condition occurs. If power is lost at the wrong moment, the safety action will not be executed.

Who Decides Whether It Is Energize or De-energize to Trip?

This decision is not made by the control engineer or the maintenance department. It is determined much earlier in the safety lifecycle.

Methods such as HAZOP, LOPA, ETA, and FTA identify hazardous scenarios and determine what action is required to bring the system to a safe state — stopping flow, draining material, injecting inhibitor, depressurizing a system. Once the required action is defined, engineering determines how to implement that action safely.

Sometimes the required safe action naturally leads to de-energize-to-trip. Other times, the required action means the system must energize to perform the safety function.

Why Most Safety Functions Use De-energize to Trip

Because of the fail-safe principle, many safety instrumented functions are designed as de-energize to trip. The main advantages are safer behaviour during power loss, simpler failure assumptions, easier SIL verification, and fewer dangerous failure modes. This aligns with the principle that systems should move to the safe state when failures occur.

When Energize to Trip Is Necessary

Not every safety function can be de-energize to trip. Some safety functions require energy to perform the safe action — opening a valve, activating a pump, injecting inhibitor, venting through an active device.

In these cases, energize-to-trip design may be unavoidable. The engineering challenge then becomes ensuring the system still achieves the required SIL performance.

Why Energize-to-Trip Designs Are More Demanding

Energize-to-trip systems introduce additional challenges. Loss of energy may prevent the safety function from working. Backup power may be needed. PFD calculations must include the power supply. Proof testing becomes more important and more frequent.

Achieving SIL targets is more complex than with de-energize-to-trip designs — but complexity does not mean it is wrong. It simply requires careful engineering and proper verification.

Functional Safety Is About Performance — Not Philosophy

In practice, both approaches can be acceptable. The real question is not whether the system is energize-to-trip or de-energize-to-trip.

The real question is: Can the safety function achieve the required risk reduction — and can that be demonstrated through design, failure analysis, SIL verification, proof testing, and lifecycle management?

Functional safety is not about following a design philosophy blindly. It is about proving that the safety function works when it is needed.