Most Legionella failures are not caused by an exotic strain or a freak plumbing fault. They come from the same short list of ordinary management gaps, repeating across building after building. A control that drifted. A reading nobody chased. A pipe that should have been cut out two refurbishments ago.
That is oddly reassuring. If the failures are predictable, they are preventable, and you can audit your own site against them in an afternoon.
The Legionella mistakes below are the ones that turn up again after an incident or an HSE visit, when someone finally asks how a known risk was allowed to sit. Each is described as it actually looks on site, why it tends to happen, and the fix that closes it.
The mistakes that keep coming back
A risk assessment that describes a building you no longer have
The assessment is dated, signed, filed, and three years out of date. Since then a wing was mothballed, a thermostatic mixing valve scheme was added, the cold water tank was relocated to a warmer plant room. The paperwork still describes the old building.
This happens because people treat the risk assessment as a document to produce, not a control to maintain. It is the foundation everything else rests on; if it is wrong, every downstream task is aimed at the wrong target. Review it when the system, the use pattern, or the people exposed change, and at the interval your assessment itself sets, rather than only when a renewal date drifts past [1][2].
Outsourcing the work and assuming you outsourced the duty
A contractor visits monthly, leaves a report, and everyone relaxes. Nobody reads the report closely. An out-of-range result sits in the file unchallenged for half a year.
Bringing in a specialist is sensible, and most duty holders should. The error is believing the contract transfers the legal duty. It does not: accountability stays with the duty holder and the appointed responsible person [3]. The fix is active oversight. Confirm the provider is competent (membership of the Legionella Control Association is a useful signal [4]), actually read what they send, and ask what each abnormal result triggered. A report nobody reads is not a control.
Collecting numbers nobody acts on
A logbook full of neat ticks. A sentinel outlet that has read a few degrees cool for months. No action recorded against any of it.
Monitoring slides into ritual when it is cut off from its purpose. The point of a temperature reading is not the reading; it is the decision the reading prompts. Define the acceptable result for each check, the action when it is missed, and who owns that action, then record the decision and not just the figure. “Outlet flushed; temperature low; reported to responsible person; descale scheduled” is worth far more than a single tick in a box.
Forgetting the outlets nobody uses
The accessible-toilet shower that runs once a quarter. The tap in a decommissioned kitchen. The capped branch left dangling after a refit. These low-use outlets and dead legs are exactly where warm water stagnates, and they are the easiest things to overlook precisely because nobody touches them [5].
They get forgotten because attention follows footfall, and risk does the opposite. Map every seldom-used outlet and every redundant length of pipe. Flush what must stay; physically remove what does not. Cutting out a dead leg once beats flushing it forever, and it shrinks the ongoing burden every week after. Neglected water systems: the danger of stagnation goes deeper on why stagnation sits behind so many failures.
Chasing samples instead of controlling conditions
A clear lab result comes back and gets treated as a clean bill of health, while temperatures quietly drift out of range.
A sample feels like proof in a way a temperature log does not. But a negative result describes one outlet at one moment; it says little about the system tomorrow. Control comes first (temperature, movement, cleanliness), and sampling verifies it. Test frequency follows the risk assessment and the system, not a fixed calendar slot chosen for tidiness [6].
No line that means “stop and escalate”
A caretaker finds a stored-water temperature that looks wrong and does nothing, because nobody ever said what “wrong” was or who to tell.
The written scheme lists tasks but no thresholds, so judgement falls to whoever happens to be holding the clipboard. Set the limits explicitly: this reading triggers that action, this finding stops the task and goes to the responsible person, this one authorises remedial work. Escalation that lives only in someone’s head is not escalation.
If you fix only one thing
Read back across those six and a single thread runs through every one: the gap between knowing and acting. The assessment that was never revisited. The report never read. The cool reading never chased. The dead leg never cut. Knowledge existed; action did not follow.
So the most effective correction is not another task on the schedule. It is naming one competent person who genuinely reviews the evidence, the readings, the reports, the open actions, and is accountable for closing the loop. Get that one role working and most of the other mistakes surface and get caught on their own. Leave it vacant and even a good scheme slowly rots. If you manage a typical office and want to see what that review rhythm looks like in practice, Legionella control in office buildings walks through it.
A necessary caveat
These are patterns, not a checklist that fits every building. Your site-specific risk assessment, carried out by a competent person, decides which controls apply, what counts as out of range for your system, and how quickly a given remedial action must close. Where a figure or interval is mentioned here, treat it as a prompt to confirm against current HSE guidance and your own assessment, not a universal rule. This is general guidance on common failure modes, and nothing more.
Common questions
If we use a contractor, are we still responsible when something goes wrong?
Yes. You can contract out the tasks, but not the duty. The duty holder and the appointed responsible person remain accountable for control, oversight, and the records that prove it, which is why reading and challenging your contractor’s reports matters as much as commissioning them [3].
Is a single out-of-range temperature reading a compliance failure?
Not in itself. Systems vary day to day. What matters is whether you noticed it, acted on it, and recorded what you did. A one-off reading that triggered a sensible response shows control working; the same reading ignored for months is the actual failure.
How long can a remedial action stay open before it becomes a problem?
Your risk assessment should rank actions by risk, and the higher-risk ones should not linger. A dead leg or a failed control flagged a year ago and still open is hard to defend, because it shows the management loop never closed. Set target dates by priority and review open actions at every meeting.
Sources
[1] HSE, “Legionnaires’ disease. The control of legionella bacteria in water systems - Approved Code of Practice and guidance (L8)”. https://www.hse.gov.uk/pubns/books/l8.htm [2] HSE, “Legionnaires’ disease: Technical guidance (HSG274)”. https://www.hse.gov.uk/pubns/books/hsg274.htm [3] HSE, “Legionnaires’ disease - what you must do”. https://www.hse.gov.uk/legionnaires/what-you-must-do/index.htm [4] Legionella Control Association, “Code of Conduct for Service Providers”. https://www.legionellacontrol.org.uk/ [5] HSE, “Systems most likely to create legionella risk”. https://www.hse.gov.uk/legionnaires/risk-systems.htm [6] HSE, “Testing and monitoring your water system for legionella”. https://www.hse.gov.uk/legionnaires/testing-monitoring-water-system.htm