How to Build an Incident Timeline in the First 24 Hours

An incident timeline is the first discipline that keeps an investigation from becoming a debate about memory. This how-to guide shows EHS managers and supervisors how to build a defensible timeline in the first 24 hours, while facts are still fresh and evidence has not been overwritten by explanations.

The thesis is practical: the timeline should not prove a theory. It should protect the sequence of what is known, what is uncertain, and what still needs verification before RCA begins.

What you need before starting

Start with scene control, medical response, notification, and evidence preservation already under way. The timeline does not replace emergency response or legal reporting. It organizes the first available facts so the investigation team can see the event sequence without forcing a premature cause.

The minimum inputs are photographs, equipment status, permit or JSA records, alarm logs, access records, supervision notes, maintenance records, training records, shift handover notes, and initial witness accounts. If those inputs are weak, use incident evidence preservation before trying to reconstruct the sequence.

Across 25+ years leading EHS in multinational operations, Andreza Araujo has seen that investigations usually lose quality in the first day, not at the final report stage. Once leaders accept the first neat story, later evidence is often forced to fit it.

1. Freeze the first version as a working draft

Create the first timeline as a working draft, not as an official narrative. Label it clearly with the date, time, author, source list, and version number. That small discipline prevents later confusion when new evidence changes the order of events.

The first version should include only facts with a source. A fact can be a camera timestamp, a permit entry, a control-room alarm, a radio call, a badge record, a supervisor note, or a witness statement. A belief such as "the operator rushed" does not belong in the timeline unless evidence later supports what happened and why it mattered.

Use a simple table with four fields: time, event, source, confidence. The confidence field can be high, medium, low, or unverified. That one column protects the team from treating weak memory and system data as if they carried the same evidentiary weight.

2. Set the time anchor before collecting details

Every timeline needs a time anchor. In many incidents, the anchor is the injury time, alarm time, shutdown time, emergency call, or first supervisor notification. Once the anchor is fixed, events can be placed before and after it.

Do not assume all clocks agree. Camera systems, access-control logs, mobile phones, PLCs, radios, and handwritten permits may show different times because they are not always synchronized. Record the clock source beside each timestamp and note any known offset.

This matters because a three-minute difference can change the interpretation of supervision, isolation, response time, or emergency escalation. OSHA incident investigation guidance emphasizes collecting facts before determining causes, and time-source discipline is one way to keep that principle operational.

3. Build the sequence backward and forward

Start at the anchor event, then build backward until the last normal condition is identified. After that, build forward through immediate response, stabilization, notifications, and evidence-control decisions.

The backward sequence should answer what changed before the event: task start, permit approval, handover, equipment condition, contractor interface, weather, production change, maintenance intervention, line-up, isolation, supervisor contact, and any abnormal signal. The forward sequence should show who responded, what was stopped, what was preserved, who was interviewed, and which controls were put in place.

Andreza Araujo's book Sorte ou Capacidade, glossed for English readers as Luck or Capability, is useful here because serious events rarely begin at the moment of harm. The visible event sits near the end of a longer organizational sequence.

4. Separate observation from interpretation

Write timeline entries as observations first. "Forklift entered aisle B at 09:14 according to camera 3" is an observation. "Driver ignored the rule" is an interpretation, even if it later becomes relevant.

Interpretation can be captured in a separate notes column, but it should never replace the event description. James Reason's work on latent failures helps explain why this discipline matters. The visible action may be real, although the conditions that made it likely may sit in planning, supervision, design, maintenance, or pressure that existed before the worker acted.

This separation also protects interviews. When the timeline is full of conclusions, witnesses tend to agree, defend, or resist. When it is built from observations, witnesses can add missing details without being pushed toward the investigator's preferred theory.

5. Interview witnesses against the timeline, not around it

Use the draft timeline to guide witness interviews without showing it as the truth. Ask each witness what they saw, heard, did, expected, and understood at each relevant point in the sequence. Then record whether the account confirms, adds to, or conflicts with an existing entry.

Do not ask leading questions such as "Why did the operator skip the step?" when the skipped step has not been proven. Ask what the person saw before the step, what instruction they had, what was normal on that shift, and what changed after the exposure became visible.

The interview traps described in witness statement errors after incidents become more dangerous when the timeline is weak. A disciplined sequence helps the investigator test memory without turning the witness into the only source of truth.

6. Mark gaps instead of filling them with assumptions

A good incident timeline shows gaps openly. Missing video, a silent radio period, an unsigned permit field, a supervisor who cannot remember the handover, or a maintenance log with no closeout time should be marked as a gap, not silently resolved by assumption.

Each gap needs an owner and a follow-up action. The action may be to retrieve a system log, inspect a physical component, interview a second witness, compare shift records, or ask IT to preserve data before the retention period expires.

In more than 250 cultural transformation projects supported by Andreza Araujo's team, one repeated weakness is the organization that prefers a complete story over an honest one. The stronger investigation is willing to say "unknown" until evidence supports a better answer.

7. Connect each event to the control that should have worked

After the first sequence is stable, add a control column. For each important event, ask which control should have prevented exposure, detected drift, stopped the task, or reduced consequence.

This step turns the timeline from chronology into risk analysis. A permit approval connects to permit quality. A line break connects to isolation and verification. A vehicle movement connects to traffic separation. A delayed response connects to emergency preparedness. The point is not to name causes yet, but to show where the work system expected a barrier to hold.

That control lens prepares the team for ICAM investigation controls before causes or a Fishbone session without starting from blame. The team can test barriers against sequence evidence instead of brainstorming generic categories.

8. Review the timeline with operations before RCA

Before the formal RCA meeting, review the timeline with operations, maintenance, supervision, EHS, and any contractor interface that touched the task. The question is not "Who caused this?" The question is whether the sequence is accurate enough for analysis.

Ask reviewers to challenge time order, missing steps, source quality, and control expectations. If two departments disagree, document the disagreement and the evidence needed to resolve it. Do not settle the disagreement by hierarchy, because the senior person may not have been closest to the work.

Daniel Kahneman's work on cognitive bias is useful here because early explanations become sticky. A cross-functional timeline review slows the team down before confirmation bias turns the first story into the investigation frame.

9. Convert the timeline into investigation questions

The final step is to turn the sequence into questions for RCA. Each question should come from a timeline entry, gap, or control expectation. That keeps the investigation grounded in evidence.

Examples include: why did the permit approval occur before the isolation status was verified, what changed between handover and task start, why did the alarm not trigger escalation, how did the contractor understand the exclusion zone, and why was the supervisor unavailable during a high-risk step?

Those questions can feed Fishbone analysis, corrective action planning, or a formal investigation method. The timeline should travel into the action plan too, because weak actions often appear when the team forgets exactly where the sequence failed.

Incident timeline template

Use the table below as a working format during the first 24 hours. Keep the file controlled, versioned, and accessible to the investigation lead.

Common errors to avoid

The most common error is writing the timeline after the cause has already been chosen. At that point, chronology becomes decoration. A second error is treating witness memory as a timestamp, especially when stress, injury, noise, and emergency response changed perception.

A third error is building one clean sequence when the event actually has parallel sequences: equipment condition, human movement, permit flow, supervision, contractor interface, and emergency response. Serious incidents often require more than one line of time before the team can see how the paths met.

The action discipline in post-incident action planning depends on this quality. If the timeline is weak, corrective actions will usually chase symptoms, retraining, and reminders rather than the control condition that made the event possible.

Conclusion

An incident timeline is not administrative paperwork. It is the investigation's first defense against memory drift, blame, and premature certainty. Build it in the first 24 hours, protect each source, mark uncertainty honestly, connect events to controls, and convert the sequence into RCA questions only after the facts are stable enough to support analysis.

If your organization needs incident investigations that preserve evidence and change the work system after harm, Andreza Araujo's consulting work through ACS Global Ventures can support the diagnostic and implementation path. Start with Andreza Araujo.