Common legionella compliance mistakes businesses make

Legionella compliance is the legal obligation for businesses to assess, control, and document the risk of Legionella bacteria in their water systems under the Health and Safety at Work Act 1974 and the Control of Substances Hazardous to Health Regulations 2002. The common legionella compliance mistakes businesses make rarely involve exotic technical failures. They stem from administrative gaps, inconsistent routines, and a misplaced belief that a risk assessment alone satisfies the law. The HSE’s HSG274 guidance sets clear standards for temperature control, written schemes, and record keeping. Failing to meet those standards exposes your organisation to enforcement action, civil liability, and serious harm to building occupants.

1. Common legionella compliance mistakes businesses make: missing the written control scheme

A risk assessment identifies hazards. A written scheme of control tells you what to do about them. These are two separate legal requirements, and many businesses perform a risk assessment but never implement the written scheme, leaving them non-compliant despite a technically clean water system.

The written scheme is the operational backbone of your legionella control programme. It specifies which outlets to monitor, how often, at what temperatures, and who is responsible. Without it, your monitoring activities have no documented framework, and an inspector has no way to verify that your controls are consistent or adequate.

The complexity of a written scheme scales with your building. A simple residential property may need only a brief A4 document. A complex facility such as a hospital or large hotel can require a detailed 30–40 page schedule covering every water system component. That range illustrates why generic templates often fail. Your scheme must reflect your actual site.

• Confirm your written scheme exists as a standalone document, not just as notes within the risk assessment.

• Check that it names a responsible person and assigns specific monitoring tasks.

• Verify that monitoring schedules match the frequencies required by HSG274.

• Review the scheme whenever the building layout or water system changes.

Pro Tip: If your contractor produced a risk assessment but handed you nothing else, ask specifically for the written scheme of control. The two documents are not interchangeable.

2. Temperature control failures at sentinel outlets

Temperature control is the primary physical barrier against Legionella proliferation. Hot water must be stored above 60°C and distributed above 50°C; cold water must remain below 20°C. The range between 20°C and 45°C is where Legionella bacteria multiply most rapidly. Many businesses monitor temperatures occasionally but miss the sentinel outlets, which are the first and last draw-off points on each circuit, where problems appear first.

Flushing frequency is the second most common failure. Outlets that are used infrequently, such as a guest room shower used once a month, accumulate stagnant water that sits at the ideal growth temperature. HSG274 guidance requires weekly flushing of little-used outlets. Showerheads and hoses should be descaled and disinfected quarterly. Both tasks are frequently missed or logged inconsistently.

The table below summarises the key temperature and maintenance benchmarks from HSG274.

1. Identify all sentinel outlets on a site plan.

2. Record temperatures at each sentinel outlet monthly at minimum.

3. Log weekly flushing of low-use outlets with the date, outlet reference, and operative name.

4. Schedule quarterly showerhead descaling and record each instance.

5. Investigate any reading outside the required range immediately and document the corrective action.

Pro Tip: Install a temperature monitoring system on high-risk circuits. Automated logging removes human error and produces audit-ready data in real time.

3. Inadequate record keeping and documentation

Poor records are the fastest route to enforcement action. Failing to keep verifiable, audit-ready records covering assessments, control schemes, monitoring logs, and remedial actions is a major compliance liability. An inspector does not take your word for what happened. They read your logbook.

Records must be retained for at least five years under HSG274 recommendations. That retention period covers temperature logs, water sampling results, corrective action reports, contractor visit records, and any changes to the written scheme. Gaps in any of these categories raise immediate questions about the reliability of your entire programme.

The most serious record-keeping error is back-filling. Back-dated temperature records invalidate compliance and risk severe enforcement action. Inspectors detect this by looking for physically impossible patterns, such as identical temperature readings recorded across multiple months, or entries that show no variation whatsoever across different seasons. The data simply does not look real, and experienced inspectors recognise it immediately.

• Keep a single, centralised logbook for each site, whether physical or digital.

• Record every monitoring visit with the date, time, operative, and actual readings.

• Never estimate or reconstruct readings from memory.

• Store corrective action reports alongside the monitoring log that triggered them.

• Review your compliance documentation at least annually to confirm completeness.

The difference between a business that passes an inspection and one that faces enforcement often comes down to whether the logbook tells a credible, consistent story. Simple administrative errors, such as gaps in monitoring logs or missing responsible person appointments, are the root cause of most enforcement findings.

4. The “someone else’s problem” assumption in shared buildings

Multi-occupancy buildings produce a specific and recurring compliance failure. In shared buildings, each party often assumes the other manages the water infrastructure, which leads to unassessed water systems and uncontrolled risk. Landlords assume tenants manage the outlets. Tenants assume the landlord controls the plant room. Neither party acts, and the water system receives no oversight at all.

Clarifying responsibility boundaries within multi-occupied buildings prevents overlooked water system liabilities. This requires a written agreement, not a verbal understanding. The agreement should specify who owns each section of the water system, who carries out monitoring, and who responds to out-of-range readings.

• Document which party is responsible for each section of the water system in the lease or a separate compliance agreement.

• Appoint a named responsible person for each zone and confirm this in writing.

• Share monitoring records between landlord and tenant so both parties can verify compliance.

• Review responsibilities whenever a new tenant moves in or the building layout changes.

• For landlords managing multiple tenancies, consider a landlord compliance programme that covers all units under a single coordinated scheme.

The risk is not theoretical. A water system with no identified owner receives no monitoring, no flushing, and no corrective action. That is the exact condition in which Legionella bacteria proliferate to dangerous concentrations.

5. Failing to update controls when building usage changes

Building usage changes are one of the most underestimated drivers of legionella risk. Reduced water usage causes stagnation and significantly increases the risk of Legionella proliferation when flushing and monitoring schedules are not updated to reflect the new pattern. Hybrid working is the most common current example. A building that previously had full occupancy five days a week may now see two or three days of partial use. Water sits in pipes for longer. Temperatures drift into the growth range. The risk profile of the building changes, but the control programme does not.

The same principle applies to seasonal closures, building refurbishments, and any period of reduced occupancy. A hotel closing a wing for renovation, a school building unused over summer, or an office floor mothballed during a restructure all present the same stagnation risk. The written scheme must be reviewed and updated to reflect these changes, not left on the shelf until the next scheduled assessment.

Practical steps for managing occupancy-driven risk include increasing flushing frequency on low-use circuits, installing automated temperature monitoring on circuits that are no longer in daily use, and carrying out a full system flush and temperature check before reoccupying any area that has been dormant.

Pro Tip: Treat any change in building occupancy as a trigger for a compliance review. Update your flushing schedule before the change takes effect, not after you notice a problem.

6. Assuming outsourcing transfers legal responsibility

Outsourcing legionella control to a specialist contractor is good practice. Assuming it transfers your legal liability is a legionella safety mistake that exposes dutyholders to serious risk. The law places the duty on the dutyholder, not the contractor. Delegation does not change that.

Failing to review contractor reports or verify task completion exposes dutyholders to liability even when a contractor is on site regularly. You need to know what your contractor found, what they did, and whether any corrective actions remain outstanding. If you cannot answer those three questions, your oversight is insufficient.

Active management means reading contractor reports, asking questions about out-of-range readings, and confirming that remedial work has been completed and logged. It does not mean duplicating the contractor’s technical work. It means maintaining enough understanding of your own water systems to know when something is wrong.

Key takeaways

Legionella compliance failures are almost always administrative, not technical. Routine consistency, clear record keeping, and active management prevent the vast majority of enforcement findings.

What I have learned from years of legionella compliance work

The businesses that struggle most with legionella compliance are rarely the ones with the most complex water systems. They are the ones that treat compliance as a one-time event rather than an ongoing operational discipline.

I see the same pattern repeatedly. A business commissions a risk assessment, files it, and considers the job done. A year later, nothing in the written scheme has been acted upon. The logbook is empty or, worse, filled in retrospectively. The responsible person named in the assessment left the company six months ago and nobody updated the record. None of this is malicious. It is the result of treating compliance as a project with an end date rather than a routine with no end date.

The “set and forget” attitude is just as dangerous when a contractor is involved. I have reviewed sites where a reputable contractor visited monthly, but the dutyholder had never read a single report. Out-of-range readings had been flagged repeatedly. No corrective action had been taken. The contractor fulfilled their contractual obligation. The dutyholder remained legally exposed.

What actually works is simple. Assign a named responsible person who understands the system. Read every contractor report within a week of receipt. Act on every corrective action recommendation before the next visit. Review your written scheme whenever anything changes. That is not a complex programme. It is consistent attention to a small number of critical tasks.

How Bespokecompliancesolutions supports your compliance programme

Bespokecompliancesolutions works with businesses across commercial, healthcare, hospitality, and housing sectors to build compliance programmes that hold up under inspection. The work starts with a professional legionella risk assessment tailored to your specific site, not a generic template. From there, the team supports implementation of your written scheme, water testing and analysis, and ongoing monitoring to keep your records complete and current.

Every service is designed around your building’s actual risk profile. Whether you manage a single office or a portfolio of properties, Bespokecompliancesolutions provides the specialist support that removes the guesswork from legionella law compliance and keeps your organisation on the right side of HSG274.

FAQ

What is the difference between a risk assessment and a written scheme?

A legionella risk assessment identifies hazards in your water system. A written scheme of control is the documented plan for managing those hazards, and both are legal requirements under HSG274.

How long must legionella compliance records be kept?

HSG274 recommends retaining legionella compliance records, including temperature logs, assessments, and corrective action reports, for at least five years.

Who is legally responsible for legionella compliance in a shared building?

The dutyholder, typically the building owner or employer, holds legal responsibility. In shared buildings, written agreements should clearly assign responsibility for each section of the water system to prevent compliance gaps.

Does outsourcing legionella control remove my legal liability?

No. Outsourcing does not transfer legal responsibility. Dutyholders must actively oversee contractor work, review reports, and confirm that corrective actions are completed.

How often should infrequently used outlets be flushed?

HSG274 guidance requires weekly flushing of outlets that are not in regular use, with showerheads and hoses descaled and disinfected quarterly.

Recommended

• Failed legionella compliance: consequences and case studies

• Business Premises Legionella Case Study | BC Solutions

• Why is Legionella compliance so important?

• Legionella Control for All Sectors | BC Solutions