How to Preserve Incident Evidence in the First 24 Hours

Incident evidence is fragile in the first 24 hours. The scene changes, people talk to each other, equipment is cleaned, digital records roll over, and leaders under pressure ask for answers before the investigation has protected the facts.

This guide is written for EHS managers, supervisors, and site leaders who need a practical evidence-preservation routine after a serious incident, high-potential near miss, or uncontrolled energy event. The thesis is direct: a weak first day can turn a good investigation into a reconstruction exercise built on memory, politics, and missing data.

Across 25+ years in executive EHS roles, Andreza Araujo has seen incident investigations fail less because teams lack intelligence and more because the organization allows evidence to decay while everyone rushes toward cause. James Reason's work on latent failures is useful here, because the investigator needs to protect the work system as it was, not only the last action that was visible.

Why evidence preservation decides investigation quality

Evidence preservation is the disciplined protection of physical, digital, documentary, and testimonial facts before interpretation begins. ISO 45001:2018 requires organizations to react to incidents, determine causes, and take action, but the standard assumes that the organization still has enough evidence to understand what happened.

The market often underestimates this step because the first day feels operational, not analytical. Leaders want the area safe, production stabilized, regulators informed when required, and employees reassured. Those needs are real, although none of them replaces the duty to protect the facts.

As Andreza Araujo argues in Safety Culture: From Theory to Practice, culture appears in what leaders repeat under pressure. After an incident, the repeated behavior that matters is not the speech about learning. It is whether the site protects evidence before defending decisions, blaming the operator, or rewriting the work as everyone wishes it had been performed.

Step 1: Make the scene safe without cleaning the story

The first step is emergency control. Rescue, medical response, fire control, energy isolation, spill containment, and protection of other workers come before investigation activity. Evidence preservation never overrides life safety.

The trap appears immediately after the emergency is stable. Teams start sweeping, moving tools, removing damaged parts, correcting housekeeping, and reopening access because the area looks embarrassing. That cleanup can destroy the position of materials, control settings, line-of-fire exposure, bypassed guards, labels, or temporary workarounds that explain the event.

Assign one supervisor to separate emergency stabilization from cleanup. The area can be made safe through barricades, lockout, ventilation, drainage, or temporary support while the original condition remains documented. Where the same exposure remains active, connect the decision to barrier restoration after SIF, because preservation and control must move together.

Step 2: Freeze access with one accountable owner

The second step is to control who enters the scene. A serious incident can attract managers, maintenance, contractors, safety representatives, union leaders, security, and curious workers. Each person may have a valid reason to be nearby, but uncontrolled access turns the scene into shared memory rather than evidence.

Set a perimeter and name one evidence owner for the first 24 hours. That owner logs every entry, records why the person entered, and notes whether anything was moved, sampled, isolated, or photographed. This does not need to be ceremonial. A clipboard, phone form, or incident notebook is enough if the entries are time-stamped and legible.

Andreza Araujo's work across more than 250 cultural transformation projects shows that accountability without an owner becomes a slogan. The owner role protects the investigation from diffusion, especially when senior leaders arrive with strong opinions and informal authority.

Step 3: Capture the physical scene before discussion spreads

The third step is to photograph and video the scene before people begin debating causes. Start wide, then move closer. Capture entrances, lighting, weather or environmental conditions, equipment position, controls, labels, tools, PPE, product flow, floor conditions, barricades, damage, and any temporary work setup.

Photographs should include scale and direction. A close image of a damaged valve, wire, sling, step, or machine guard is weaker if nobody can later identify where it sat in relation to the worker, the energy source, and the normal task path. Video helps when the layout is complex, because it preserves relationships that isolated images can lose.

Do not ask witnesses to pose or recreate movements. Reenactment in the first hours can contaminate memory and create a false sense of certainty. If the team needs a task walk-through later, schedule it after witness statements are protected and after the scene record is complete.

Step 4: Preserve digital records before they roll over

The fourth step is digital preservation. Many incident facts live in systems that can be overwritten quickly: CCTV, access control, production logs, alarm histories, permit platforms, fleet telematics, maintenance software, handheld scanners, gas monitors, and control-room screens.

Make a 24-hour digital evidence checklist by system owner. Security saves CCTV. Operations exports process data. Maintenance preserves work orders and lockout records. EHS saves permits, risk assessments, observations, and prior related findings. HR or occupational health protects fit-for-work and medical privacy boundaries where those records are relevant.

The risk is not only deletion. Data can be normalized by the system, overwritten by new shifts, or edited by well-meaning people who think they are correcting a record. Preserve the original file, export copy, owner name, time range, and hash or file identifier when available. That discipline supports later work such as corrective action effectiveness testing, because the team can compare actions with the actual pre-incident condition.

Step 5: Separate witness protection from witness interviews

The fifth step is to protect people before collecting detailed accounts. Witnesses may be injured, shocked, guilty, angry, afraid of discipline, or worried about colleagues. If the first interaction sounds like interrogation, the investigation loses trust before facts are organized.

In the first 24 hours, collect short, individual, time-sensitive statements before group discussion reshapes memory. Ask each person where they were, what they saw or heard, what changed, what they did next, and what condition they believe mattered. Avoid asking why the incident happened. That question invites theory before evidence is ready.

James Reason's distinction between active failures and latent conditions helps keep the interview technical. The witness is not there to carry the full cause of the event. The witness helps the team see the local conditions, decisions, pressures, and defenses that existed at the time. Where the event began as a near miss, link the routine to near-miss debrief discipline so supervisors learn to protect voice early.

Step 6: Build a first-day evidence register

The sixth step is to create a first-day evidence register. This is a simple table that lists each evidence item, where it came from, who collected it, when it was collected, where it is stored, and whether any restriction applies.

The register should include physical items, photographs, video files, documents, digital exports, samples, witness statements, equipment tags, calibration records, permits, work orders, training records, and supervisor notes. It should also include missing evidence. If CCTV did not cover the area or a permit was not available, record that absence rather than pretending the file is complete.

This step protects against a common investigation failure: the team discovers gaps only after cause analysis has already hardened. A visible register keeps the investigation honest about what is known, what is inferred, and what still needs verification.

Step 7: Start the timeline with facts, not causes

The seventh step is to build a preliminary timeline. Keep it factual. Use exact times where available, estimated times where necessary, and open gaps where the team does not yet know the sequence.

A useful first timeline includes task planning, shift handover, permit issue, equipment status, material movement, supervisor contact, environmental change, alarm or warning, event moment, emergency response, isolation, notification, and first preservation actions. The goal is not to finish the investigation on day one. The goal is to prevent the team from jumping from event to cause while the sequence is still fragmented.

This connects with incident review board discipline, because leadership should review what evidence exists before asking for root cause. If leaders demand certainty too early, they reward narrative confidence rather than investigation quality.

Step 8: Hold the first 24-hour review before reopening assumptions

The eighth step is a short review at the 24-hour mark. The meeting should confirm that people are cared for, the area is stable, evidence is protected, required notifications have been handled, and the investigation team knows what remains uncertain.

Use five decisions. Keep the scene frozen or release part of it. Preserve more digital evidence or close the collection window. Schedule full interviews. Assign technical analysis for equipment, materials, or process data. Define temporary controls before similar work restarts.

The PepsiCo South America period, where Andreza Araujo's leadership helped reduce the accident ratio by 50% in six months, reinforces one operational lesson: safety performance improves when leadership routines discipline the first decision after pressure appears. In incident investigation, that routine starts with protecting evidence before the organization protects its preferred explanation.

FAQ

What is incident evidence preservation? Incident evidence preservation is the protection of physical, digital, documentary, and witness information before the investigation interprets what happened. It keeps the team from relying only on memory, assumptions, or post-event cleanup.

Who should own evidence preservation in the first 24 hours? One accountable evidence owner should coordinate the first day, usually an EHS manager, investigation lead, or trained site leader. That person does not collect everything alone, but they control access, logging, storage, and gaps.

Should production restart before evidence is collected? Production should restart only after people are safe, required preservation is complete or deliberately released, and temporary controls are verified. Restarting because the area looks normal can erase facts and repeat the exposure.

How fast should witness statements be collected? Short individual statements should be collected as soon as people are medically and emotionally able to speak. Detailed interviews can come later, but the first account should be protected before group discussion and informal theories reshape memory.

What is the biggest mistake after a serious incident? The biggest mistake is searching for cause before preserving the facts. Once the scene is cleaned, records are overwritten, and witnesses align their memories, the investigation becomes more dependent on confidence than evidence.

Final check for the EHS manager: the first 24 hours should answer one practical question. Can the investigation still see the work as it existed when the incident happened? If the answer is no, the team may still write a report, but it has already lost part of the truth.

For deeper work on incident learning, safety culture, and leadership routines, start with Safety Culture: From Theory to Practice and Andreza Araujo's advisory work at andrezaaraujo.com.