Fail-safe and fail-secure describe what an electrified lock does when it loses power. A fail-safe lock unlocks on power loss (it defaults to open). A fail-secure lock stays locked on power loss (it defaults to closed). That single behavioral choice decides whether a door protects people or protects property when the electricity stops — and getting it wrong on the wrong opening can mean either a trapped occupant or an unsecured asset. This guide explains how each mode works, where each belongs, and how to specify them so your access-control system survives both an outage and an audit.
What the terms actually mean
The confusion around fail safe vs fail secure comes from the word "safe." It does not refer to a vault or to being "more secure." It refers to life safety — the condition the door takes when something fails.
- Fail-safe (fail-open): Power energizes the lock to keep it locked. Cut the power and the lock releases. The door becomes free to open. This protects people, because no one can be electronically trapped behind a powered door.
- Fail-secure (fail-closed): Power energizes the lock to release it. Cut the power and the lock stays secured. The opening protects assets, because a power outage never throws the door open.
Both modes still allow normal credentialed entry and free egress when the system is healthy. The distinction only reveals itself at the moment of failure: a dead power supply, a tripped breaker, a severed cable, or a fire alarm that intentionally drops power to a lock.
How each mode behaves under power loss
A practical way to reason about it is to ask: which state requires electricity?
Fail-safe hardware holds the locked state with power. Electromagnetic locks (maglocks) are the classic example — they are inherently fail-safe because a maglock physically cannot hold without continuous current. Many electric strikes and electrified mortise locks can also be ordered in a fail-safe configuration. When the building loses power, these openings unlock and stay unlocked until power returns.
Fail-secure hardware holds the locked state without power. A fail-secure electric strike keeps its keeper rigid when de-energized; the door remains latched and the mechanical lockset still governs it. Power is only consumed momentarily to release the strike for an authorized entry. This is why fail-secure devices also tend to draw less power overall — they are only energized during the brief release.
A subtle but important point: on most fail-secure openings, mechanical egress is preserved by the lockset, not the electronics. A lever or panic device on the inside lets people leave regardless of lock state. That is what makes fail-secure acceptable on many doors — people can still get out by hand even though the electronics hold the door shut from the outside.
When to choose each — and where code decides for you
For a large share of openings, this is not a preference. Building and fire codes, and the authority having jurisdiction (AHJ), dictate the answer. Your integrator's job is to map every opening to the right mode and document why.
Choose fail-safe when life safety or egress controls the door:
- Doors in a stairwell or egress path where occupants must reach the exit during an alarm.
- Any opening tied into the fire alarm or life-safety system, where the lock is required to release on alarm.
- Maglock installations, which are fail-safe by nature and almost always require code-compliant release devices (request-to-exit sensor, a listed exit-side release, and power loss on alarm).
Choose fail-secure when asset protection controls the door and egress is handled mechanically:
- Perimeter and exterior entrances that must never spring open during an outage.
- Server rooms, evidence and weapons storage, SCIFs, pharmacy and records rooms — high-value interior spaces where an outage must not equal an open door.
- Stairwell re-entry doors in some configurations, where you want to keep intruders out of tenant floors while a separate mechanism preserves egress.
The recurring trap is treating fail-safe as "the safe choice" everywhere. Putting fail-safe hardware on a data center or a controlled-substance cabinet means a flipped breaker hands an attacker the room. Conversely, locking egress with fail-secure hardware that lacks a mechanical release can trap people — a serious code violation and a genuine danger.
Design and specification checklist
Treat mode selection as a per-opening decision captured in a door hardware schedule, not a blanket setting.
- Inventory every opening and tag it: egress path, perimeter, high-security interior, or interior-circulation.
- Confirm the egress strategy for each — mechanical lever/panic release versus electronic release — before picking lock mode.
- Coordinate with the fire alarm and AHJ so any required release-on-alarm behavior is wired and tested, not assumed.
- Size power and backup correctly. Fail-safe doors draw current continuously; fail-secure doors draw only on release. This changes power-supply sizing and how long battery backup actually holds each opening in its intended state.
- Verify the device is field-selectable or ordered correctly. Many electric strikes ship configurable between modes; others are fixed. Confirm before install, because a "swap" can mean a new device.
- Document and label. Record the mode, the code basis, and the test result for each opening so the next audit isn't a guessing game.
The compliance and supply-chain layer
Picking the right behavior is only half the assurance story. For federal, defense, and many enterprise buyers, the hardware itself has to clear procurement rules. NDAA Section 889 prohibits agencies and many contractors from using covered telecommunications and video-surveillance equipment from named manufacturers, and TAA governs country-of-origin for items bought on certain contract vehicles. Locks, controllers, power supplies, and the access-control platform that drives them all sit inside that scope.
A vendor-neutral integrator earns its keep here. Because we are not bound to one manufacturer's catalog, we can specify the fail-safe or fail-secure device that fits the opening and clears 889 and TAA — instead of forcing a compliant-on-paper part into a door where it creates a code problem. The full-lifecycle view matters too: the right mode has to keep behaving correctly through power-supply replacements, firmware updates, and re-certifications years after the ribbon-cutting, which is why we capture the rationale in the as-built record rather than leaving it tribal knowledge.
The bottom line
The fail safe vs fail secure question reduces to one trade-off at the moment of power loss: release for people, or hold for property. Egress and life-safety openings lean fail-safe; perimeter and high-value interior openings lean fail-secure. Code and the AHJ decide many of them outright. The durable answer is a documented, opening-by-opening schedule, built on hardware that is both code-correct and procurement-clean.
If you want a second set of eyes on your door schedule — or a fresh design that's right on day one — explore our access-control and security integration services.