A clean audit and a complete logbook prove exactly one thing: the tasks were done. They do not prove the water was safe. A good share of the organisations that end up investigating a Legionella case were, on the day, entirely compliant on paper. Beyond compliance is the work of closing the gap between those two states, and that gap is narrower and more specific than most improvement plans assume.
If you already run a competent regime, the question is no longer what to do. It is whether your system would warn you, early, when one of your controls quietly stops working. That single question separates a compliance system from a control system.
Compliance is the floor, not the finish line
L8 and HSG274 set out what a competent regime contains: assess the risk, put proportionate controls in place, monitor them, keep records, and review when something changes [1][2]. Read it as a sequence and it looks like a checklist. Read it as a circle and you see what it really is, a loop, with the review step there precisely because controls drift over time.
The failure mode worth naming is the compliant site that is not actually in control. Every task gets done. Every record gets filed. Nobody reads the data as a trend. The same far outlet logs a degree or two low for six weeks running; each reading sits close enough to pass, so no single entry triggers anything, and the calorifier is meanwhile losing return temperature week by week. The paperwork is immaculate. The control is failing. The duty to review when the evidence shifts exists to catch exactly this [3].
What excellence is not
The common misread is that beyond compliance means doing more: more samples, more outlets in the programme, tighter frequencies, a thicker file. Gold-plating feels like rigour. It rarely is. Extra activity buries weak signals in noise and ties up the people who should be reading the trend. HSE is plain that testing and monitoring frequency should follow the system and the risk assessment rather than a target number [4]. Excellence is almost never about the volume of activity. It is about the quality of the feedback and the speed of the response.
Picture the control loop that sits over your system
It helps to draw this one. Sketch two stacked layers.
The bottom layer is the physical asset: source and storage on the left, distribution in the middle, outlets on the right. The water and its hazards live here.
The top layer is the management loop, drawn as five nodes in a ring. Sense captures the evidence: sentinel temperatures, flush completion, inspection findings, sample results. Compare holds each reading against its own control limit. Decide sorts it into in range, drifting, or out. Act is the corrective task, with a named owner. Record notes what was decided and why, not just the number that was read. An arrow runs from Record back to Sense to close the ring, and a wider arc labelled Review wraps the whole thing and feeds back down into the risk assessment.
Now run a test. Take one reading from the bottom layer and trace it all the way round the top. On a compliant-but-not-in-control site, the arrow almost always breaks between Sense and Compare: data is captured but never measured against anything, so it never forces a decision. Find the broken arrow on your own diagram. Repairing it is usually the biggest single improvement available, and it tends to cost nothing but attention.
Watch the signals that lead, not the ones that lag
Lagging indicators tell you control has already failed: a positive sample, a confirmed case, an event you have to report. Leading indicators tell you it is starting to: the share of scheduled flushes actually completed on time, a stack of “no access” notes against the same rooms, sentinel temperatures edging the wrong way, the time it takes to close out a remedial action stretching from days into weeks. Maturity is mostly the discipline of watching the leading set and acting while the numbers are still boring.
This is what a water management programme really is, the loop made routine. CDC frames such a programme as the primary strategy for controlling Legionella growth and spread [5]. The Water Safety Plan approach in BS 8680 takes the same preventive, whole-system view, as does WHO guidance on water safety in buildings [6][7]. The label matters less than the habit underneath it. Live monitoring through building management systems can feed the Sense node directly, which is its own subject; see integrating Legionella control with building management systems.
Who owns the loop: governance over paperwork
Maturity shows up in governance long before it shows up in the files. A Water Safety Group, the duty holder, the responsible person, competent advice, and whoever runs the building day to day, gives the loop an owner and a table to meet at. Decisions get made and minuted by people, escalation has a named route rather than a vague “tell someone”, and external specialists get challenged rather than simply trusted. The duty holder stays accountable for all of it, whoever does the hands-on work [3].
A practical test of maturity: can the responsible person explain, for any given control, why it exists, what result is acceptable, and what happens when a result falls outside the limit? If the answer lives only in a contractor’s method statement, the organisation is hosting a programme, not running one. The LCA Code of Conduct is a fair yardstick for the providers you depend on [8], and a mature client reads their reports critically rather than just filing them. The same instinct underpins genuine third-party audits, which test whether the loop closes rather than whether the boxes are ticked.
Where this approach runs out
A tight feedback loop cannot rescue a system you have misunderstood. All of this assumes the asset register and the risk assessment are right; if a dead leg never made it onto the schematic, no amount of governance will get it flushed. The loop sharpens judgement, it does not replace the survey work underneath it.
And none of this is legal, medical or engineering advice. Your control limits, monitoring frequencies and remedial triggers come from your own system, the people exposed to it, and how the water is actually used, established through a competent, site-specific assessment rather than lifted from a maturity model or a web page. Treat the loop as a way to organise that judgement, then test it against your real building.
FAQ
Isn’t “beyond compliance” just a polite way of saying “do more sampling”?
No, and over-sampling can work against you. More tests without a tighter loop generate more numbers nobody compares to a limit. HSE expects testing frequency to follow the system and risk assessment rather than a fixed target [4]; the gain comes from reading the evidence you already collect as a trend and acting on it early.
Do we need a formal Water Safety Plan and Water Safety Group to do this well?
Not as a legal must in every setting, but the structure earns its place once a building gets complex or higher-risk. BS 8680 sets out the Water Safety Plan as a preventive framework [6], and a standing group gives decisions an owner and an escalation route. A small, low-risk site can run the same loop with one competent person, the principle scales down.
How do we show an auditor we’re in control, not just compliant?
Show the loop closing. Produce a case where a reading drifted, was compared to its limit, triggered a decision, was acted on by a named person, and was recorded with the reasoning, then fed into a review. One well-evidenced corrective story proves more than a year of unbroken green ticks.
Start with one reading this week
Pull a single sentinel temperature or flush record from last month and try to trace it round the loop: was it compared to a limit, did anything happen when it drifted, who decided, and is the reasoning written down anywhere? Wherever the trail goes cold, you have found your first broken arrow, and the most useful thing to fix before the next review. For where this sits across an estate, see how the loop gets embedded into day-to-day facilities management.
Sources
[1] HSE, “Legionnaires’ disease. The control of legionella bacteria in water systems - Approved Code of Practice and guidance (L8)”. https://www.hse.gov.uk/pubns/books/l8.htm [2] HSE, “Legionnaires’ disease: Technical guidance (HSG274)”. https://www.hse.gov.uk/pubns/books/hsg274.htm [3] HSE, “Legionnaires’ disease - what you must do”. https://www.hse.gov.uk/legionnaires/what-you-must-do/index.htm [4] HSE, “Testing and monitoring your water system for legionella”. https://www.hse.gov.uk/legionnaires/testing-monitoring-water-system.htm [5] CDC, “Controlling Legionella”. https://www.cdc.gov/control-legionella/index.html [6] BSI, “BS 8680:2020 - Water quality. Water safety plans. Code of practice”. https://knowledge.bsigroup.com/products/water-quality-water-safety-plans-code-of-practice [7] WHO, “Water safety in buildings”. https://iris.who.int/server/api/core/bitstreams/2c302ce4-bca9-42bc-97b4-ddbe95f0c7f2/content [8] Legionella Control Association, “Code of Conduct for Service Providers”. https://www.legionellacontrol.org.uk/