Last updated: 2026-03-25
Every workplace incident is a failure of a system — not a single person. That distinction is the foundation of every effective root cause analysis (RCA), and it is precisely the mindset that ISO 45001:2023 is built around. Yet in my work with organizations across more than 200 client engagements at Certify Consulting, I see the same mistake made repeatedly: companies log an incident, write "employee error" in the cause field, and consider the matter closed. That approach does not satisfy the standard, and more importantly, it does not prevent the next incident.
This guide will walk you through exactly what ISO 45001 demands of your incident investigation process, which root cause analysis methods actually work in practice, and how to close the loop so your OH&S management system (OHSMS) genuinely improves over time.
What ISO 45001 Requires for Incident Investigation
ISO 45001:2023 addresses incident investigation primarily under Clause 10.2 — Incident, nonconformity, and corrective action. The standard does not prescribe a specific investigation methodology, but it does define a clear set of obligations that organizations must fulfill.
Under Clause 10.2, when an incident occurs, organizations must:
- React in a timely manner — take action to control and correct the incident, and deal with the consequences.
- Evaluate the need for corrective action — to eliminate the root causes so that the incident does not recur or occur elsewhere.
- Review existing risk assessments — and update them in light of new information (linking back to Clause 6.1.2, hazard identification and risk assessment).
- Consult with workers — a non-negotiable requirement. Clause 5.4 mandates worker participation, and this extends directly to the investigation process.
- Communicate results — relevant findings must be communicated to affected workers and, where applicable, worker representatives.
- Retain documented information — as evidence of the nature of the incidents and any corrective actions taken.
A critical point that many organizations miss: ISO 45001 requires investigation of both incidents and near misses. The standard defines an incident as "an occurrence arising from, or in connection with, work that could result in or does result in injury and ill health" — meaning near misses are explicitly included. Organizations that investigate only recordable injuries are out of conformance with the intent of ISO 45001:2023 Clause 10.2.
Why "Human Error" Is Never a Root Cause
Before diving into specific RCA methods, let's address the single most common failure in workplace incident investigation: stopping at "human error."
When an auditor — including any of the third-party lead auditors I work alongside — sees a corrective action that says "retrain employee" as the sole response to a serious incident, that is a red flag. Retraining addresses a symptom. It does not address the system conditions that made the error possible.
Cognitive scientists and safety researchers have established that human error is the mechanism of most incidents, not the cause. Behind virtually every instance of human error, you will find:
- Inadequate procedures or unclear work instructions
- Time pressure or production demands that created shortcuts
- Poorly designed tools, equipment, or workspaces
- Inadequate supervision or competency verification
- A normalization of deviation — where the "wrong" way had become the accepted way
The goal of ISO 45001-aligned incident investigation is not to assign blame; it is to identify and eliminate the systemic conditions that set workers up to fail.
The Heinrich Triangle Is Outdated — Here's What Replaced It
For decades, safety professionals cited the "Heinrich Triangle" (1:29:300 ratio of major incidents to minor incidents to near misses) as a justification for near-miss reporting programs. More recent research, including work published by the National Safety Council and the UK Health and Safety Executive, has challenged the predictive validity of that specific ratio.
What the research does consistently confirm is that near-miss events contain high-fidelity information about systemic hazards — often more actionable than post-incident data because the system failure is still intact and observable. This is why ISO 45001's inclusion of near misses in Clause 10.2 is not a bureaucratic nicety; it is operationally significant.
A robust near-miss reporting culture, supported by a non-punitive reporting environment (required under Clause 5.4(f)), is one of the strongest leading indicators of organizational safety maturity.
Four Root Cause Analysis Methods That Work Under ISO 45001
There is no single RCA method mandated by the standard. The right tool depends on the severity of the incident, the complexity of the causal chain, and the organizational resources available. Here are the four methods I most commonly recommend to clients:
1. The 5-Why Method
Best for: Low-to-moderate severity incidents with a relatively linear causal chain.
The 5-Why is the most accessible RCA tool and a good starting point for organizations building their investigation capability. The process is straightforward: ask "Why did this happen?" and, for each answer, ask "Why?" again — repeating until you reach a systemic root cause.
Example: - Incident: Worker slipped and fell in a warehouse aisle. - Why 1: The floor was wet. - Why 2: A forklift had leaked hydraulic fluid. - Why 3: The forklift was past its scheduled maintenance interval. - Why 4: The preventive maintenance system did not flag the overdue service. - Why 5: The CMMS (maintenance management system) was not configured to generate alerts for that equipment class.
Root cause: Systemic gap in preventive maintenance configuration — not a wet floor, and not an inattentive worker.
Limitation: The 5-Why can lead different investigators to different root causes depending on their starting assumptions. It works best as a structured team exercise, not a solo activity.
2. Fishbone (Ishikawa) Diagram
Best for: Incidents with multiple potential contributing factors across different categories.
The fishbone diagram organizes potential causes into standard categories (commonly: People, Process, Equipment, Environment, Management, Materials) and maps how each category may have contributed to the incident. It is especially useful in the early stages of investigation to ensure no contributing factor is overlooked.
ISO 45001 alignment: The fishbone structure naturally encourages investigators to look beyond the immediate act and examine management system factors — exactly what Clause 10.2 intends.
3. Bow-Tie Analysis
Best for: High-severity incidents, process safety events, or incidents with complex hazard pathways.
The bow-tie diagram maps both the causes (threats) that led to a hazardous event and the consequences (escalation factors) that resulted from it. It visually represents the barriers that failed on both sides of the event.
This method is particularly powerful because it connects directly to your Clause 6.1 risk assessment framework. After completing a bow-tie analysis post-incident, you can immediately identify which controls in your risk register failed or were absent — making the corrective action planning far more precise.
4. Fault Tree Analysis (FTA)
Best for: Complex, high-consequence incidents where multiple simultaneous failures contributed to the outcome.
FTA uses Boolean logic (AND/OR gates) to map the combinations of failures that could produce the top-level event (the incident). It is the most rigorous of the four methods and is commonly used in process industries, construction, and healthcare.
While FTA requires more training to execute correctly, it produces highly defensible causal documentation — which matters in incidents that may involve regulatory scrutiny or litigation.
Comparing RCA Methods: A Quick Reference
| Method | Best For | Complexity | Team Size Needed | ISO 45001 Alignment |
|---|---|---|---|---|
| 5-Why | Low/moderate incidents, linear causes | Low | 2–4 people | Strong (accessible, repeatable) |
| Fishbone Diagram | Multi-factor incidents | Medium | 4–8 people | Strong (system-wide view) |
| Bow-Tie Analysis | High-severity, risk-linked events | Medium-High | 4–8 people | Very strong (links to Clause 6.1) |
| Fault Tree Analysis | Complex, multi-failure incidents | High | 6–10 people, specialist | Very strong (regulatory-grade) |
The Seven-Step Incident Investigation Process
Regardless of which RCA tool you use, the investigation process itself should follow a consistent structure. Here is the framework I implement with clients:
Step 1: Secure the Scene and Provide Immediate Care
Before any analysis begins, ensure the injured or affected worker receives appropriate medical care. Secure and preserve the scene to prevent evidence loss. Take photographs, video, and measurements. Do not move equipment or materials until documented.
Step 2: Notify Relevant Parties
Trigger your notification chain — internal management, worker representatives (Clause 5.4), and any external parties required by regulation (e.g., OSHA under 29 CFR 1904 for U.S.-based organizations, or HSE under RIDDOR in the UK). Time requirements vary by jurisdiction and incident severity — know your obligations before an incident occurs.
Step 3: Assemble the Investigation Team
Effective investigations are team efforts. Include: - The supervisor of the affected area - A safety representative or OH&S professional - An affected worker representative (required under Clause 5.4) - A subject matter expert familiar with the task or equipment involved
Avoid stacking the team with management personnel only. Worker participation is not optional under ISO 45001 — and frankly, workers often have the most operationally accurate information.
Step 4: Collect Data
Gather all relevant evidence: physical evidence, photographs, equipment inspection records, training records, work procedures, maintenance logs, and witness statements. Conduct interviews promptly — memory degrades rapidly after an incident. Use open-ended questions and avoid leading witnesses toward a predetermined cause.
Step 5: Apply Your RCA Method
Choose the appropriate tool based on incident severity and complexity (see the comparison table above). Document your analysis thoroughly. The root cause statement must be specific enough to drive a corrective action — "inadequate procedure" is better than "human error," but "Work Instruction WI-045 lacks a step requiring hydraulic fluid level verification before each shift" is better still.
Step 6: Develop and Implement Corrective Actions
Corrective actions must address root causes, not just symptoms. Use the Hierarchy of Controls (ISO 45001 Annex A and Clause 8.1.2) to select the most effective control type:
- Elimination (most effective)
- Substitution
- Engineering controls
- Administrative controls
- PPE (least effective)
Assign a specific owner, a target completion date, and verification criteria for each corrective action. This is documented information under Clause 10.2(f).
Step 7: Verify Effectiveness and Update the OHSMS
This step is where most organizations fall short. Completing a corrective action is not the same as verifying it works. Build a follow-up review into your process — typically 30, 60, or 90 days post-implementation — to confirm the root cause has been addressed and the incident type has not recurred.
Critically, update your Clause 6.1.2 risk assessments, your hazard register, and any relevant procedures or training materials. The incident investigation process feeds directly into the Plan-Do-Check-Act (PDCA) cycle that underpins ISO 45001's continual improvement requirement (Clause 10.3).
Common Audit Findings in Incident Investigation
In my experience conducting and preparing clients for ISO 45001 surveillance and recertification audits, these are the most frequently cited nonconformities related to Clause 10.2:
| Nonconformity | Root Cause | Fix |
|---|---|---|
| Near misses not investigated | Program scope limited to recordable injuries | Revise procedure to explicitly include near misses and hazardous conditions |
| Corrective actions address symptoms only | Investigation stops at "human error" | Require 5-Why or equivalent as minimum for all investigations |
| No worker involvement in investigation | HR or management leads investigation alone | Embed worker representative requirement in investigation procedure |
| Corrective actions not verified for effectiveness | No follow-up mechanism | Add formal effectiveness review step with documented evidence |
| Risk assessments not updated post-incident | Investigation process siloed from risk management | Link investigation procedure to Clause 6.1.2 risk review trigger |
| Investigation timelines not met | No defined response time requirements | Define and document investigation timelines by severity level |
Building a Culture That Reports Incidents — Including Near Misses
An investigation process is only as good as the incidents that get reported. Research from the National Safety Council indicates that the majority of near misses go unreported in organizations with punitive safety cultures. That means organizations with blame-oriented incident response are systematically blind to their most prevalent systemic hazards.
ISO 45001 Clause 5.4(f) explicitly requires that organizations protect workers from reprisal for reporting incidents, hazards, and near misses. But procedural protection alone is not enough. The real driver of near-miss reporting is psychological safety — workers' confidence that reporting will result in system improvement, not personal consequences.
Practical steps to build that confidence:
- Close the loop publicly. When a near miss is reported and a corrective action is implemented, communicate that outcome back to the workforce. This demonstrates that reporting leads to action.
- Recognize reporters, not just incidents. Acknowledge workers who report near misses. Some organizations implement formal recognition programs; others simply ensure supervisors say "thank you."
- Track leading indicators. Near-miss report rates, hazard observation rates, and corrective action closure rates are leading indicators of safety performance. Share them at the management review (Clause 9.3).
- Make reporting easy. Digital reporting apps, anonymous hotlines, and supervisor-assisted verbal reporting all reduce friction in the reporting process.
How Incident Investigation Connects to the Broader OHSMS
Incident investigation is not a standalone process. Under ISO 45001, it is embedded in a network of interconnected clauses:
- Clause 6.1.2 — Hazard identification and risk assessment must be updated based on investigation findings.
- Clause 7.2 — Competence requirements may be revised if training gaps contributed to an incident.
- Clause 7.3 — Awareness training may need updating to reflect new hazard information.
- Clause 8.1 — Operational controls must be reviewed and potentially strengthened.
- Clause 9.1 — Investigation data feeds performance monitoring and KPI tracking.
- Clause 9.3 — Incident trends must be presented at management review.
- Clause 10.3 — Continual improvement actions often originate from investigation findings.
Organizations that treat incident investigation as an isolated HR or compliance function — rather than as a core OHSMS feedback mechanism — consistently underperform on audit and, more importantly, on actual safety outcomes.
Documented Information Requirements
Under ISO 45001 Clause 10.2(f), organizations must retain documented information as evidence of:
- The nature of the incidents investigated
- The results of the investigation
- Any corrective actions taken
- The effectiveness of those actions
There is no prescribed format. Your investigation records can be paper-based, digital, or managed within an EHSMS platform. What matters is that the documentation is complete, retrievable, and protected — and that it demonstrates a genuine analysis process, not just a checkbox exercise.
At minimum, your investigation record should include: - Incident description (what, where, when, who affected) - Immediate causes and contributing factors - Root cause analysis (method used and findings) - Corrective actions (owner, due date, verification criteria) - Effectiveness review results - Updates made to risk assessments or procedures
Frequently Asked Questions About ISO 45001 Incident Investigation
What is the difference between an incident and a near miss under ISO 45001?
Under ISO 45001:2023, both incidents and near misses fall under the same definition: "an occurrence arising from, or in connection with, work that could result in or does result in injury and ill health." A near miss is an incident where no injury or ill health occurred — but could have. Both require investigation under Clause 10.2.
Does ISO 45001 require a specific root cause analysis methodology?
No. ISO 45001:2023 Clause 10.2 does not mandate a specific RCA method. Organizations have flexibility to choose methods appropriate to the severity and complexity of each incident. Common methods include 5-Why, Fishbone (Ishikawa), Bow-Tie Analysis, and Fault Tree Analysis.
How quickly must an incident be investigated under ISO 45001?
ISO 45001:2023 requires that investigation occur "in a timely manner" but does not define specific timeframes. Best practice — and what I recommend to all Certify Consulting clients — is to define severity-tiered investigation timelines in your procedure: e.g., serious injuries within 24 hours, moderate incidents within 72 hours, near misses within 5 business days.
Can workers be excluded from the investigation process?
No. ISO 45001:2023 Clause 5.4 requires worker participation in the development, planning, implementation, and continual improvement of the OH&S management system — and this explicitly includes incident investigation. Excluding workers from investigations is a nonconformity against the standard.
How does incident investigation connect to management review under ISO 45001?
ISO 45001:2023 Clause 9.3 (Management Review) requires that top management review incidents, near misses, and the results of investigations as part of the management review input. Incident trends, corrective action status, and leading indicator data should all be presented at management review to support informed decision-making and resource allocation.
Conclusion: Investigation Is Only Valuable If It Drives Change
The most technically sophisticated root cause analysis in the world is worthless if its findings sit in a filing cabinet. The purpose of incident investigation under ISO 45001 is not compliance documentation — it is organizational learning that prevents the next incident.
In my 8+ years working with organizations pursuing and maintaining ISO 45001 certification, the ones that achieve genuine safety performance improvement share one characteristic: they treat every incident — including near misses — as actionable intelligence about their management system. They investigate systematically, involve workers genuinely, implement controls that address root causes, and verify that those controls actually work.
That cycle of investigate → improve → verify is the engine of continual improvement that ISO 45001 was designed to power.
If your current incident investigation process is not driving measurable improvement in your hazard profile, or if you're preparing for an upcoming audit and want to ensure your Clause 10.2 program is audit-ready, I'd encourage you to explore the resources available at Certify Consulting.
Last updated: 2026-03-25
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.