Can a door be both fail-safe and fail-secure?

Conceptually no, but in practice you can pair a fail-secure strike with a fire-alarm-triggered release relay so the door behaves as fail-secure under normal operation and fail-safe on a fire-alarm event. This is the design for many high-security egress doors — IT server rooms with emergency egress through them, surgical suites with egress to a hot zone. The relay is the engineering work; the door hardware is identical.

What does NBC say about egress doors?

NBC 2016 Volume 2 mandates that every door on an egress path must release on a fire-alarm trigger and must allow occupants to exit without a key, fob or card. Fail-safe with fire-alarm cause-and-effect release is the only compliant specification. Fail-secure on an egress path is a code violation that voids the building's occupancy NOC.

Are magnetic locks (maglocks) acceptable on egress?

Only when paired with a request-to-exit sensor, an emergency push-bar override, and a fire-alarm cause-and-effect release. Maglocks alone on egress are not code-compliant — the failure modes (loss of power without proper release wiring) trap occupants. We typically prefer electric strikes over maglocks on egress paths for this reason.

What about computer-room doors with biometric access?

Fail-secure under normal operation (protect the asset on power cut), fail-safe on fire-alarm trigger (allow egress under fire conditions). The biometric reader stays on independent UPS so card-only fallback works during a power blip without a fire event. This is the standard pattern for server rooms, drug stores, vaults and OT corridors.

Will TechnoGuru document the fail-state per door at handover?

Yes. The door-by-door fail-state register is a standard deliverable — fail-safe vs fail-secure, fire-alarm release relay, request-to-exit sensor, push-bar override, retention against any deviation. Signed off by clinical engineering or facilities, the AHJ, and the architect.

/ ELV

Fail-safe vs fail-secure access control: the choice that decides what happens on a power cut

Published 15 April 2026·9 minute read·ELV

Quick answer

Fail-safe means the door unlocks when power is removed (used on egress paths so occupants are not trapped); fail-secure means the door stays locked when power is removed (used on perimeter and high-security rooms so an attacker cannot disable it with a power cut). The choice is per-door, dictated by the door's role in egress and by the fire-alarm cause-and-effect: every door on an egress path must be fail-safe and must release on a fire-alarm trigger, no exceptions. Get this wrong and the building either traps occupants in a fire or hands an attacker the keys to the perimeter.

Access control hardware is one of the few systems in a building where the engineering decision sits squarely between two non-negotiables. Fail-safe means the door unlocks when power is removed. Fail-secure means it stays locked. Both are correct for some doors and dangerous for others, and the choice is per-door, not per-building.

The decision is driven by two questions. First: is this door on an egress path? If yes, it must be fail-safe — occupants must be able to exit when power fails or when the fire-alarm fires, regardless of the access-control system's state. Second: is this door on a perimeter or guarding a high-security asset? If yes, fail-secure is usually right — an attacker who pulls the building's main breaker should not have the perimeter handed to them.

## The fire-alarm cause-and-effect resolves most of the doubt

On any door where there is genuine doubt about which choice applies, the fire-alarm cause-and-effect resolves it. The matrix specifies which doors release on a fire-alarm trigger, and any door that releases on the matrix must be fail-safe in its hardware. The matrix is the contract; the hardware implements the contract. Where the matrix says 'release on Zone 3 alarm', the door's electromagnetic lock or strike has to be fail-safe, and the matrix's release relay has to interrupt the lock's power supply. Anything else risks a door that the matrix says is unlocked but the hardware says is still locked, and that gap is what kills people.

## The egress-path test is the simple form of the question

For most buildings, the per-door classification reduces to a simple test: is this door part of the route an occupant would take to exit the building? If yes, fail-safe. The route includes the corridor doors, the stairwell doors, the lobby doors, and the final external door. All of these must release on the fire-alarm matrix; all of these must be fail-safe in hardware.

The exceptions are doors that are not on the egress path: server rooms, drug stores, plant rooms, perimeter gates, secure stores. These doors are typically fail-secure in hardware — they stay locked on power failure, and they have a separate egress path (a secondary door, an emergency override) for any occupant who happens to be inside when power fails. The fire-alarm matrix can still trigger them to unlock if the brief requires (e.g. a server room with a fire-suppression system that needs the door open for ventilation), but the default is locked.

## Magnetic locks vs electric strikes — the hardware translation of the choice

Magnetic locks (maglocks) are inherently fail-safe: they hold the door closed by magnetism, and removing power releases them. Electric strikes can be specified as either fail-safe (releases on power loss) or fail-secure (stays locked on power loss); the spec has to be explicit on the order. Mortise locksets with motorised retraction are usually fail-secure unless explicitly specified otherwise. We translate the per-door classification into a hardware schedule on every project, with the door's role, its fail-state, its release-source on the fire-alarm matrix, and its hardware part number recorded in writing.

Where the architect specifies a maglock on a high-security door, we flag the issue early — a maglock is fail-safe, and a fail-safe perimeter door fails the security brief. The conversation with the architect produces either a fail-secure electric strike, a maglock with secondary mechanical security (deadbolt that engages on power loss), or an explicit acceptance that the perimeter is fail-safe for fire-safety reasons.

## Free-egress hardware is non-negotiable on every door

Regardless of fail-state, every access-controlled door must permit free egress from the inside. The reader is on the outside; the inside has a request-to-exit button (REX), a passive infrared sensor, or a mechanical handle that releases the lock without authentication. We check the free-egress hardware on every commissioning and we test it on every quarterly AMC visit. A door that fails the free-egress test is taken out of service the same day; the alternative is a building that can lock its occupants in.

## Callout — what buyers most miss

**The classification is per-door, signed by the fire-safety officer, and recorded in the as-built drawings.** Most access-control deployments record the door schedule in the access-control system's configuration but not in the fire-safety as-built. That gap means a future contractor can swap a door's fail-state without anyone noticing the change. We record the per-door fail-state classification in both the access-control configuration and the fire-safety as-built, signed by the fire-safety officer, so any future change is visible to both systems.

## Reference deployment context

On the Tinsukia Medical College & Hospital deployment, the per-door fail-state classification covered 184 access-controlled doors. Theatre doors were specified as fail-safe with manual override (the OT team can override on emergency); drug stores and pharmacy doors were fail-secure with REX; corridor doors on egress paths were fail-safe and released on the fire-alarm matrix; the records-room and the medical-records archive were fail-secure with separate egress on a secondary door. The classification is in the as-built and the AMC log.

## References

1. NBC 2016, Volume 2 — fire and life-safety provisions for egress.

2. IS 13716 — *Code of practice for fire safety of buildings (general): Means of escape*.

3. NFPA 101 (Life Safety Code, 2024 edition) — egress and door-hardware provisions.

4. UL 294 — Standard for *Access Control System Units* (door-strike fail-state designations).

/ Frequently asked

Quick answers from the practice.

Can a door be both fail-safe and fail-secure?: Conceptually no, but in practice you can pair a fail-secure strike with a fire-alarm-triggered release relay so the door behaves as fail-secure under normal operation and fail-safe on a fire-alarm event. This is the design for many high-security egress doors — IT server rooms with emergency egress through them, surgical suites with egress to a hot zone. The relay is the engineering work; the door hardware is identical.
What does NBC say about egress doors?: NBC 2016 Volume 2 mandates that every door on an egress path must release on a fire-alarm trigger and must allow occupants to exit without a key, fob or card. Fail-safe with fire-alarm cause-and-effect release is the only compliant specification. Fail-secure on an egress path is a code violation that voids the building's occupancy NOC.
Are magnetic locks (maglocks) acceptable on egress?: Only when paired with a request-to-exit sensor, an emergency push-bar override, and a fire-alarm cause-and-effect release. Maglocks alone on egress are not code-compliant — the failure modes (loss of power without proper release wiring) trap occupants. We typically prefer electric strikes over maglocks on egress paths for this reason.
What about computer-room doors with biometric access?: Fail-secure under normal operation (protect the asset on power cut), fail-safe on fire-alarm trigger (allow egress under fire conditions). The biometric reader stays on independent UPS so card-only fallback works during a power blip without a fire event. This is the standard pattern for server rooms, drug stores, vaults and OT corridors.
Will TechnoGuru document the fail-state per door at handover?: Yes. The door-by-door fail-state register is a standard deliverable — fail-safe vs fail-secure, fire-alarm release relay, request-to-exit sensor, push-bar override, retention against any deviation. Signed off by clinical engineering or facilities, the AHJ, and the architect.

/ What to do next

Three next steps for access-control scope

Read the access-control service page →Engineering scope, brand bands, fail-state discipline.
Read the fire-alarm cause-and-effect insight →How access-control integrates with the matrix.
Send the door schedule →We mark up the fail-state register against your architectural egress plan.

/ Services this article informs

Read the discipline pages.

Access Control
Right person. Right door. Right time.

/ Reference work

Projects where this engineering shows up.

Tinsukia Medical College & Hospital
Healthcare · Government
Tinsukia, Assam · Handover 2024

/ Discuss your project

If this article matches a brief you are working on, the next step is a thirty-minute call with a project lead.

We do not run sales pipelines. The first reply comes from a project lead, within two working days, and it goes straight to the engineering question rather than a brochure.

Begin a brief

/ Continue

Seven disciplines, held by one hand.

Smart Automation

Where the work actually goes.10 sectors · one practice

Residential

Hospitality

Commercial & Corporate

Education & Institutions

Healthcare

Government & Public Safety

Retail & Malls

Places of Worship

Restaurants, Bars & Clubs

Industrial & Warehousing

Fail-safe vs fail-secure access control: the choice that decides what happens on a power cut

Quick answers from the practice.

Three next steps for access-control scope

Read the discipline pages.

Access Control

Projects where this engineering shows up.

Tinsukia Medical College & Hospital

More from the practice.