Search or navigate to a page
On 23 March 2005, a hydrocarbon vapour cloud ignited at BP's Texas City refinery, killing 15 contractors and injuring 180 others. The investigation that followed, led by the U.S. Chemical Safety Board (CSB), did not fixate on the immediate trigger—a startup of an isomerisation unit that overfilled a raffinate splitter. Instead, it traced a chain of organisational decisions reaching back years: deferred maintenance on the blowdown drum, budget cuts to safety training, a fatigue-inducing 30-day shift pattern, and a corporate signal that production cost reductions outranked process safety investment. The CSB's report became a defining text in modern incident analysis precisely because it refused to stop at proximate causes. That refusal is the philosophical core of Incident Cause Analysis Method (ICAM)—a structured investigation methodology that has, over the past two decades, become the dominant approach in mining, oil and gas, and major hazard industries.
For HSE professionals, the appeal of ICAM is not that it produces a tidy diagram. It is that, applied properly, it changes what an organisation actually does after an incident. This article is a working guide to ICAM: where it came from, how its analytical layers fit together, where investigations commonly go wrong, and how to embed it in a management system that satisfies ISO 45001 Clause 10.2 (Incident, nonconformity and corrective action) without collapsing back into individual blame.
ICAM was developed in the late 1990s within BHP's Australian operations, building directly on James Reason's organisational accident model—the so-called Swiss Cheese model published in Human Error (1990) and refined in Managing the Risks of Organizational Accidents (1997). Reason's central claim was that catastrophic events almost never result from a single error. They occur when latent organisational weaknesses—decisions made far from the sharp end about resourcing, design, training, or culture—align with active failures and breach successive defensive layers. ICAM operationalises that claim by forcing an investigator to look explicitly at four levels of contribution: absent or failed defences, individual or team actions, task or environmental conditions, and organisational factors.
The methodology is not unique in this ambition. TapRooT, Apollo, the U.S. Department of Energy's Causal Analysis Tree, and the Tripod Beta methodology all share the same systemic logic. ICAM's distinction is its accessibility: a competent multidisciplinary team can complete a credible ICAM analysis in two to five days for most Tier 2 incidents, with relatively modest training. It is also the methodology referenced explicitly in the International Council on Mining and Metals' (ICMM) Critical Control Management guidance and is mandated or strongly encouraged by regulators in several jurisdictions, including parts of the Australian and Canadian mining sectors.
An ICAM investigation produces, at its centre, a chart that maps an incident across four layers. Working through them in order matters; a common failure mode is for teams to leap to organisational factors before establishing what actually happened.
Layer 1 — Absent or Failed Defences. The first analytical task is to identify the controls that should have prevented the incident or limited its consequences and to determine, for each, whether it was absent, failed, or was bypassed. This is where the investigation aligns with the bow-tie diagram for the relevant hazard, if one exists. For a dropped object incident on a drilling rig, defences might include a tool tethering policy, exclusion zones below overhead work, dropped object surveys, and supervisor verification of secured equipment. Each is examined for presence, condition, and effectiveness at the moment of the event.
Layer 2 — Individual and Team Actions. Only after the defences have been mapped does the investigation examine human actions. The discipline here is to describe what people did or did not do without yet attributing motive. ICAM explicitly borrows Reason's distinction between errors (slips, lapses, mistakes) and violations (routine, situational, exceptional). An operator who cross-connected a process line is described as having made a substitution error; the question of why is deferred until layers three and four. This sequencing is what prevents the analysis from devolving into a hunt for the negligent individual.
Layer 3 — Task and Environmental Conditions. This layer examines the local conditions that shaped the actions in layer two. Was the procedure ambiguous or contradictory? Was the worker fatigued? Were lighting, noise, temperature, or visibility degraded? Were tools fit for purpose? Was the team configuration correct? Human factors literature—particularly the SHERPA and HFACS frameworks—provides taxonomies that ICAM teams routinely draw on here. The Energy Institute's Human Factors Briefing Notes are a useful reference for investigators who need a structured prompt list.
Layer 4 — Organisational Factors. The final layer asks: what decisions, systems, or cultural patterns produced the conditions in layer three? Common organisational factors include inadequate competency assurance, contractor management gaps, cost pressure, change management failures, design weaknesses, and poor learning from prior events. ICAM teams typically use a defined taxonomy—often a 12 to 17 category list adapted from BHP's original work—to ensure consistency across investigations. Without a taxonomy, organisational findings drift toward whatever the investigator personally finds most salient.
An ICAM is only as credible as the evidence underneath it. The methodology uses a mnemonic—PEEPO—to structure evidence collection: People, Environment, Equipment, Procedures, and Organisation. In the first 24 to 72 hours after an incident, the investigation team should be working through each category in parallel rather than sequentially. People evidence includes interviews, statements, training records, fitness-for-duty data, and rosters. Environment covers physical site conditions, weather, lighting, and forensic preservation of the scene. Equipment encompasses inspection records, maintenance history, calibration certificates, and any physical evidence held for forensic analysis. Procedures includes the documented procedure, recent revisions, permits-to-work, JSAs, and toolbox talk records. Organisation captures audit findings, prior incident reports, change records, and management reviews.
Two evidence-handling failures recur across investigations and undermine the analysis disproportionately. The first is contaminated witness recollection: interviews conducted in groups, or after extensive site discussions, produce convergent narratives that may bear little resemblance to what individual witnesses observed. ICAM practice, drawing on cognitive interview research, is to interview witnesses individually, as soon as is reasonable, in a non-blaming setting. The second is loss of perishable evidence—pressure readings, alarm logs, CCTV footage on rolling deletion cycles, and verbal statements at shift handover. A pre-defined evidence preservation checklist, executed in the first hour, addresses both.
Despite the methodology's rigour, ICAM analyses commonly fail in predictable ways. Three patterns deserve attention.
The truncated tree. Investigations stop at layer two or layer three because going deeper makes someone in management uncomfortable. The recommendations focus on retraining, reminding, or disciplining the individual, leaving the organisational conditions that produced the event intact. The CSB's review of Texas City explicitly identified this pattern at BP, where prior near-misses had been investigated and closed at the operator-error level for years.
Causal inflation. The opposite failure: the team identifies thirty contributory factors and produces a recommendations list that no organisation can realistically execute. ICAM practitioners increasingly use a contribution test—would removing this factor have prevented or materially reduced the consequences of the event?—to filter findings before recommendations are written. Findings that fail the test may still be recorded for trend analysis but are not assigned a corrective action.
Recommendations of the wrong type. The hierarchy of controls applies to investigation outputs as it does to risk assessment. A recommendation to "reinforce the procedure through toolbox talks" is administrative and weak. ICAM recommendations should, where possible, target elimination, substitution, or engineering controls. ANSI/ASSP Z590.3-2021 provides a useful framing here. A useful internal discipline is to require, for each recommendation, an explicit statement of which layer of the analytical chart it addresses and which level of the hierarchy of controls it occupies.
ICAM is not a one-off exercise; it is a feedback mechanism. To produce sustained value, three integrations are necessary. First, ICAM outputs must feed the organisation's risk register. If an investigation identifies a degraded critical control, the bow-tie or HAZOP that originally credited that control should be revisited and the residual risk reassessed. Second, organisational findings must aggregate. A single ICAM identifying competency assurance gaps in a contractor population is informative; ten such ICAMs over eighteen months is a system signal that demands a programme-level response. ISO 45001 Clause 9.3 (Management review) is the natural forum. Third, the learning must propagate. Lessons-learned bulletins, toolbox talks, and shared learning across sites are the visible artefacts; the deeper requirement is a culture in which investigations are read, discussed, and trusted.
That last point is where ICAM intersects with just culture. The methodology's structural refusal to start with individual blame is what makes it possible for workers to participate honestly in interviews. If an organisation runs ICAM investigations while still terminating individuals for the active failures those investigations identify, the participation will dry up and the analyses will degrade. Sidney Dekker's Just Culture: Restoring Trust and Accountability remains the clearest available articulation of how to draw the line between errors, at-risk behaviours, and reckless conduct without collapsing the distinction.
For HSE leaders considering or refining an ICAM programme, several actions consistently differentiate effective deployments from ceremonial ones. Train a multidisciplinary cadre of investigators—operations, maintenance, HSE, and human factors—rather than concentrating capability in the HSE function alone. Use a defined organisational factors taxonomy and review it annually against your incident profile. Require an evidence preservation checklist to be executed within the first hour of any reportable event, before the investigation team is fully assembled. Apply a contribution test before finalising recommendations. Track recommendation closure rates and effectiveness, not just closure dates. And, most importantly, audit a sample of closed ICAMs each year specifically against the question: did the organisational findings translate into changes that would prevent recurrence elsewhere?
An ICAM that ends with a list of retrained operators and a closed work order is, almost by definition, an ICAM that did not finish. The methodology was built to push investigations into the harder territory where systemic change becomes possible. The HSE professional's job is to make sure they get there.
Sign in to join the conversation