Energize-to-Trip vs De-energize-to-Trip in Functional Safety

What is the difference in Functional Safety?

In functional safety engineering, one of the first design decisions is how a safety function actually moves the system to a safe state.

Two common design philosophies exist:

• De-energize to trip
• Energize to trip

Both can be used in safety instrumented systems (SIS). However, they have very different implications for fail-safe behaviour, diagnostics, and SIL compliance.

Understanding the difference is fundamental for engineers working with safety functions.

De-energize to Trip

A de-energize-to-trip safety system performs the safety function when energy is removed.

In other words, the safe state occurs without the need for energy.

This approach is based on the classic fail-safe design principle.

If something goes wrong, such as:

• power loss
• cable failure
• controller failure
• signal interruption

the system naturally moves to the safe state.

Example

A very common example is a spring-return shutdown valve.

Normal operation:

• The solenoid valve is energized
• Instrument air holds the valve open

When a safety demand occurs:

• The solenoid de-energizes
• Air is vented
• The spring closes the valve

Even if power or air supply fails, the valve will still close.

That is fail-safe behaviour.

Energize to Trip

An energize-to-trip safety system requires energy to perform the safety function.

In this design, the system must actively apply energy to move to the safe state.

If the energy is lost, the safety function may not occur.

This means the system is not inherently fail-safe.

Example

Consider a system where:

• a motor is needed to move a valve and the valve is closed during normal operation
• the safety function requires opening the valve to relieve pressure

In this case, the system must energize the motor to open the valve when a hazardous condition occurs.

If power is lost at the wrong moment, the safety action will not be executed.

Who Decides Whether It Is Energize or De-energize to Trip?

This decision is not made by the control engineer or the maintenance department.

It is determined much earlier in the safety lifecycle.

The hazard and risk analysis identifies the need for a certain safety function.

Methods such as:

• HAZOP
• LOPA
• ETA
• FTA

identify the hazardous scenarios and determine what action is required to bring the system to a safe state.

For example, the analysis may determine that the safety function must:

• stop the flow (e.g. by closing a valve or stopping a pump)
• drain the material (open the flow, i.e. open a valve)
• inject inhibitor
• depressurize a system

The intention of the required safety function is important and needs to be defined. This will drive the design team to the right solution.

Once the required intention/action is defined, the engineering design must determine how to implement that action safely.

Sometimes the required safe action naturally leads to de-energize-to-trip design.

Other times, the required action means the system must energize to perform the safety function.

The design philosophy therefore follows the required safety action, not the other way around.

Why Most Safety Functions Use De-energize to Trip

Because of the fail-safe principle, many safety instrumented functions are designed as de-energize to trip.

The main advantages are:

• safer behaviour during power loss
• simpler failure assumptions
• easier SIL verification
• fewer dangerous failure modes

This aligns with the principle that systems should move to the safe state when failures occur.

When Energize to Trip Is Necessary

However, not every safety function can be de-energize to trip.

Some safety functions require energy to perform the safe action.

Examples include situations where the safe state requires:

• opening a valve
• activating a pump
• injecting inhibitor
• venting or depressurizing through an active device

In these cases, energize-to-trip design may be unavoidable.

The engineering challenge then becomes ensuring that the system still achieves the required SIL performance.

Why Energize-to-Trip Designs Are More Difficult

Energize-to-trip systems introduce additional challenges:

• Loss of energy may prevent the safety function from working
• Backup power may be needed
• PFD calculations need to include power supply
• Proof testing becomes more important

Because of these factors, achieving SIL targets can be more complex than with de-energize-to-trip designs.

But complexity does not mean it is wrong.

It simply requires careful engineering and proper verification.

Functional Safety Is About Performance — Not Philosophy

In practice, both approaches can be acceptable.

The real question is not whether the system is energize-to-trip or de-energize-to-trip.

The real question is:

Can the safety function achieve the required risk reduction?

That must be demonstrated through:

• proper design
• failure analysis
• SIL verification
• proof testing
• lifecycle management

Functional safety is not about following a design philosophy blindly.

It is about proving that the safety function works when it is needed.

---