ISO 45001 Incident Investigation: Requirements and Best Practices
Certification audits for ISO 45001 routinely surface one finding above others: incident investigations that stop at the visible cause and go no further. The corrective action gets logged, the form gets filed, and the next surveillance audit uncovers the same gap in a slightly different shape.
This is not a paperwork problem. It is a process problem — and Clause 10.2 of ISO 45001:2018 is specific about what that process must include.
This guide breaks down the regulatory requirements under Clause 10.2, walks through a compliant investigation procedure step by step, identifies the gaps most commonly cited during certification audits, and explains the consequences that follow when they go unaddressed.
What ISO 45001 Requires: Clause 10.2 in Plain Terms
ISO 45001:2018 Clause 10.2 covers three linked obligations: incidents, nonconformity, and corrective action. For most EHS managers, the incident investigation component draws the most auditor attention.
The standard requires organizations to establish, implement, and maintain a process for reporting, investigating, and taking action on incidents and nonconformities. That process must enable the organization to:
- Respond in a timely manner — react to incidents and take action to control and correct them
- Evaluate the need for corrective action — with the participation of workers and relevant interested parties, determine whether corrective action is warranted to eliminate root causes
- Determine causes — investigate the incident and identify why it occurred, including whether similar incidents have occurred elsewhere or could occur in the future
- Implement controls — apply corrective actions consistent with the hierarchy of controls; link findings back to existing risk assessments
- Review effectiveness — assess whether corrective actions actually eliminated the cause or merely addressed the symptom
- Communicate findings — share documented information with workers, workers' representatives, and other relevant stakeholders
- Retain documented information — maintain records of the nature of incidents, subsequent actions taken, and evidence of corrective action effectiveness
One point that frequently produces audit findings: the standard's definition of "incident" explicitly includes near-misses and dangerous occurrences, not only injuries or property damage. An organization that investigates injuries but has no process for near-miss reporting is operating with an incomplete system — and auditors will note it.
Worker participation is another non-negotiable. Clause 10.2 specifies that the evaluation of corrective action must occur "with the participation of workers." This is not a suggestion. An investigation conducted entirely by management with no worker input fails to meet the requirement on its face.
The Audit Context: Why This Clause Gets Scrutinized
ISO 45001 surpassed 355,000 global certifications in the 2024 ISO Survey — a 37% increase from 2022 figures. Certification bodies have built extensive datasets on where organizations consistently fall short. Clause 10.2 appears in that data with regularity.
According to audit findings published by certification specialists including Smithers and ISOQAR, the most frequently cited nonconformities in ISO 45001 audits include inadequate documentation, poor corrective action follow-through, and incomplete incident investigation processes. These are not isolated findings — they appear across industries and organization sizes.
The consequences are concrete. ISO 45001 certifications are valid for three years, with annual surveillance audits in between. A major nonconformity — defined as a total or significant failure to meet a clause requirement — can result in suspension or withdrawal of certification. Unresolved minor nonconformities can accumulate into a major finding at the next surveillance cycle.
Beyond the certification body, regulators in many jurisdictions treat an organization's OHSMS documentation as evidence in enforcement proceedings. In the US, UK, EU, and Australia, documented incident investigations (or their absence) directly affect how enforcement agencies assess culpability and calculate penalties following a serious incident. Certification does not provide immunity, but it does establish a baseline obligation — and failing to meet your own documented procedures is typically treated as an aggravating factor.
Step-by-Step: A Clause 10.2-Compliant Investigation Process
The following sequence reflects what a compliant incident investigation looks like in practice. The steps are ordered to satisfy audit scrutiny while also being operationally realistic.
Step 1: Immediate Notification and Scene Preservation
Incidents — including near-misses — must be reported without undue delay. Establish a clear reporting threshold so workers know what requires immediate notification versus what can wait for shift-end log entry.
Preserve the scene where practicable. Physical evidence deteriorates rapidly. Photographs, measurements, equipment positions, environmental conditions, and witness details captured in the first hour have significantly higher evidentiary value than reconstructed accounts taken days later.
Assign a lead investigator and confirm they have no conflict of interest with the incident or the workers involved.
Step 2: Worker Participation — Structure It, Don't Assume It
Worker participation is required by the standard and is also the most practically valuable element of the investigation. Workers who perform the job daily understand the gap between documented procedures and actual practice. That gap is frequently where incidents originate.
Participation does not require every affected worker to attend every meeting. It does require a structured mechanism: a designated worker representative, a formal interview process, or joint review sessions. Document who participated and in what capacity. Auditors will ask.
Step 3: Immediate Cause Identification
Identify what happened and what directly caused it. This is the factual layer of the investigation: the equipment state, the task being performed, the environmental conditions, the worker actions at the time of the incident.
At this stage, avoid cause attribution. The goal is fact collection, not fault assignment. Causation analysis comes in the next step.
Step 4: Root Cause Analysis
This is where most organizations' investigations fail — stopping at the immediate cause and logging it as the finding.
ISO 45001 does not specify a root cause analysis method, but it does require that causes be determined. Common structured methods include:
- 5 Whys — ask "why" sequentially until you reach a systemic failure (typically five iterations)
- Fishbone (Ishikawa) Diagram — map contributing causes across categories (Equipment, Method, Person, Environment, Management)
- Fault Tree Analysis — work backward from the incident using a logic tree to identify all contributing pathways
Regardless of method, the analysis must reach beyond individual behavior. "Operator did not follow procedure" is an observation, not a root cause. The root cause is the condition that made not following the procedure possible and undetected: absent supervision, inadequate training, a procedure that cannot realistically be followed under production conditions, or management pressure that implicitly deprioritizes compliance.
Step 5: Review Existing Risk Assessments
Clause 10.2 links investigation directly to the organization's risk management process. After determining root causes, review the relevant risk assessments to determine whether the hazard was identified and whether the existing controls were adequate. If the hazard was not identified, or controls failed, the risk assessment must be updated.
This step converts incident investigation from a reactive exercise into a mechanism for improving the OHS management system as a whole.
Step 6: Corrective Action Assignment
Assign corrective actions to named individuals with specific due dates. Actions should:
- Target the root cause, not just the immediate cause
- Be consistent with the hierarchy of controls (elimination before substitution before engineering controls before administrative controls before PPE)
- Include a verification step that confirms effectiveness after implementation
Vague corrective actions — "remind workers of the procedure," "retrain operators" — are a common audit finding. They address behavior without addressing the conditions that produced the behavior.
Step 7: Communication and Closure
Communicate investigation findings to workers who were involved, workers who perform similar tasks or work in similar areas, worker representatives, and relevant management. The communication does not need to assign blame — it should focus on findings and corrective actions.
Close the investigation only when corrective actions have been implemented and their effectiveness verified. Document the closure date and the verification method.
Step 8: Documented Information — What to Retain
The standard requires retention of documented information as evidence. A compliant investigation record should contain:
| Document Element | Content |
|---|---|
| Incident record | Date, time, location, description, people involved, witnesses |
| Scene documentation | Photographs, measurements, equipment state |
| Interview records | Summary of worker accounts, investigator, date |
| Root cause analysis | Method used, documented chain, findings |
| Risk assessment review | Which assessments were reviewed, updates made |
| Corrective actions | Action description, owner, due date, status |
| Effectiveness verification | How verified, date, outcome |
| Communication log | Who was informed, when, method |
Generate Countermeasures with AI
Based on what you've learned, try our AI-powered countermeasure generator. Enter an incident and the AI will suggest both immediate and permanent countermeasures.
AI対策案ジェネレーター
事象を入力するだけで、AIが即時対策と恒久対策を提案
業界別のサンプル事象を選ぶか、自由に入力してください。
Common Gaps That Produce Audit Findings
Certification auditors and EHS consultants consistently identify the same categories of deficiency. Understanding them allows organizations to address them proactively rather than through a corrective action request during surveillance.
Gap 1: Near-miss investigations treated as optional
Organizations that investigate injuries but have no structured process for near-misses are operating below the standard's requirements. Near-misses are precursors to serious incidents and explicitly fall within the standard's definition of an event requiring investigation. Auditors look for both the process and evidence of its use.
Gap 2: Root cause analysis that terminates at individual behavior
Finding that a worker made an error and stopping there is the most common substantive deficiency. The standard requires determining causes in a way that enables corrective actions to prevent recurrence. If the root cause is always the individual, the corrective action is always retraining — and recurrence rates don't change.
Gap 3: Corrective actions that are never verified for effectiveness
Logging a corrective action as complete when it has been assigned, rather than when it has been implemented and verified, is a documentation integrity issue that auditors treat seriously. The standard requires evidence that actions were effective, not just that they were planned.
Gap 4: Worker participation recorded as attendance, not contribution
Signing workers into an investigation meeting does not satisfy the participation requirement if there is no mechanism for their input to influence the investigation's findings. Auditors will probe whether worker input was actually considered.
Gap 5: Investigation records that cannot be retrieved under audit pressure
Records stored in inconsistent locations — spreadsheets on individual desktops, paper files in separate departments, email chains — create retrieval problems during audits and create gaps when staff turnover occurs. The standard requires that documented information be controlled and accessible.
Gap 6: Risk assessments not updated following incidents
When an incident reveals a hazard that was not identified in the risk assessment, or reveals that identified controls failed, the risk assessment must be updated. Many organizations complete the investigation but never close the loop back to the risk register.
WhyTrace Plus for ISO 45001 Investigations
WhyTrace Plus provides structured investigation workflows aligned with Clause 10.2 requirements — from incident capture through root cause analysis, corrective action assignment, and effectiveness verification. Investigation records are centrally stored, timestamped, and retrievable for audit. Worker participation is documented as part of the investigation record, not as a separate log.
Connecting Clause 10.2 to the Broader OHS Management System
ISO 45001 is built on the Plan-Do-Check-Act cycle. Clause 10.2 sits in the "Check and Act" phase, but its findings are intended to feed back into "Plan." This is the mechanism that makes the system self-improving rather than static.
An effective investigation process connects to:
- Clause 6.1 (Risk Assessment) — incidents surface unidentified hazards or failed controls that require risk register updates
- Clause 7.2 (Competence) — root causes that involve training gaps trigger competence record reviews
- Clause 8.1 (Operational Planning and Control) — corrective actions that change procedures feed into operational controls
- Clause 9.3 (Management Review) — investigation trends and corrective action status are inputs to management review
- Clause 10.3 (Continual Improvement) — patterns identified across multiple investigations drive systemic improvements
Organizations that treat each investigation as an isolated administrative event miss the feedback mechanism the standard is designed to create. An EHS manager who can walk an auditor through how a specific investigation led to a risk assessment update, a procedure change, and a management review input is demonstrating a functioning system — not just a documented one.
Preparing for Surveillance Audits: A Practical Checklist
The following items represent what a well-prepared organization can demonstrate at a surveillance audit covering Clause 10.2:
- Written procedure defining what constitutes a reportable incident, including near-misses and dangerous occurrences
- Evidence of incident reports filed within the defined timeframe, including near-miss reports
- Completed investigation records for all reportable incidents in the audit period
- Root cause analysis documentation showing method used and cause chain
- Evidence of worker participation in investigations (not just attendance)
- Risk assessment review records linked to investigations where a new hazard or control failure was identified
- Corrective action log with owners, due dates, and completion status
- Effectiveness verification records for closed corrective actions
- Evidence that investigation findings were communicated to relevant workers
- Trend analysis or management review input referencing investigation findings
Audit Readiness Without the Manual Assembly
Preparing documentation for a Clause 10.2 audit review typically means pulling records from multiple sources and assembling a coherent picture after the fact. WhyTrace Plus maintains investigation records in a single system with built-in traceability — from the initial incident report through root cause analysis, corrective action closure, and effectiveness verification. When an auditor asks for evidence, the record is already complete.
Key Takeaways
- ISO 45001 Clause 10.2 requires a documented process for reporting, investigating, and taking corrective action on all incidents — including near-misses — with mandatory worker participation.
- Investigations must determine root causes, not simply record immediate causes. An individual behavior finding is a starting point, not a conclusion.
- Corrective actions must be verified for effectiveness and documented; assignment alone does not satisfy the requirement.
- Investigation findings must be connected back to risk assessments, operational controls, and management review inputs. The standard is designed as a feedback system.
- The most common audit findings — incomplete near-miss processes, root cause analysis that stops at behavior, unverified corrective actions — are all preventable with a structured process and consistent documentation.
- Major nonconformities in Clause 10.2 can result in certification suspension. Unresolved minor nonconformities accumulate into major findings over surveillance cycles.
Related Resources
| Resource | Description | Best For |
|---|---|---|
| 5 Whys Analysis: Complete Guide | Full walkthrough of the 5 Whys method with manufacturing and safety examples | Applying structured RCA to Clause 10.2 investigations |
| How to Do a 5 Whys Analysis | Step-by-step guide with worked examples and common mistakes | Teams building their first formal RCA process |
| AI-Assisted Root Cause Analysis | How AI tools support investigation accuracy and documentation speed | Organizations scaling investigation quality across sites |
| RCA Software Comparison | Evaluation of leading root cause analysis platforms for EHS teams | Selecting investigation software before an audit cycle |
| Free ISO 45001 Investigation Template | Audit-ready investigation record with built-in root cause analysis | Running your first Clause 10.2-compliant investigation |