A Legionella record only earns its keep on the day someone refuses to take your word for it. An HSE inspector following up a complaint, an insurer weighing a claim, a solicitor rebuilding a timeline after a suspected case — none of them wants a dashboard glowing 96% green. They want to know whether the temperature at the third-floor shower really was checked on the date you claim, by a named person, and what happened when it came back out of range. Buy your record-keeping software for that conversation, not for the tidy Monday-morning report.
Most Legionella software is sold on convenience: less chasing, fewer spreadsheets, a smarter audit pack. Convenience is worth paying for. But the features that decide whether the money was well spent are the ones that hold up when your records are read by someone who is not on your side.
What you are actually buying
Strip away the marketing and a record-keeping system has one job: to turn the work your team does on the water system into evidence that proves the control scheme is running. L8 expects the duty holder to keep records of the risk assessment, the written scheme, the monitoring and inspection that follow from it, and the management arrangements behind the lot [1]. HSG274 then sets out the kinds of checks — temperatures, flushing, cleaning, inspections — whose frequency your risk assessment, not the software, decides [2].
So the purchase has to do three things well. Capture each task accurately at the point it happens. Preserve that record so it can be trusted later. And make the failures impossible to lose — because the out-of-range reading, and the action you took to fix it, are the part an inspector reads first.
A system that only makes the green ticks easier has solved the wrong problem.
How to judge a system before you sign
Score every shortlisted product against the same five questions. Each comes with what good looks like, the question to put to the vendor, and the answer that should worry you.
Does the record prove who, what, when — and resist being changed?
This is the foundation. A credible audit trail records the named user, the asset, the date and time, the reading and whether it was in range, and it timestamps all of that at the moment of entry. Edits should be visible as edits, not silent overwrites, so a backdated entry can never pass itself off as a contemporaneous one.
Ask the vendor: “If a technician enters a reading three days late, what does the record show — the date they did the work, the date they typed it in, or both?”
Red flag: any system that lets a manager quietly change a historical reading with no trace. A tamper-evident history is the single feature that separates evidence from a glorified to-do list.
Are records tied to specific assets and to your written scheme?
Compliance lives at outlet level, not building level. A useful system holds an asset register — every sentinel outlet, calorifier, tank, TMV and shower — and hangs each task off the asset it relates to, mirroring the structure of your written scheme. That is what lets you answer “show me the last twelve months for this shower” in seconds rather than across an afternoon.
Ask the vendor: “Can the task schedule be built to match our existing risk assessment and written scheme, or do we have to bend our scheme to fit your templates?”
Red flag: a fixed, one-size template that cannot represent your actual system. Your records should describe your building, not the supplier’s idea of an average one.
What happens when a check fails?
Routine green entries are easy. The real test of a system is the exception. When a temperature comes back low or a flush is missed, the record should flag it, route it to the responsible person, track the remedial action, and hold the close-out evidence that shows the loop was shut. An open action that nobody chased is exactly the gap that turns a near miss into a finding.
Ask the vendor: “Walk me through an out-of-range temperature from the moment it is logged to the moment it is signed off as resolved.”
Red flag: exceptions that vanish into an average, or dashboards that report “94% compliant” without making the missing six per cent visible and named.
Can the work be captured where the work happens?
Plant rooms, roof tanks and basement risers are not famous for mobile signal. If technicians cannot record at the point of work, they will scribble on paper and type it up later — and you are back to transcription errors and gaps. Offline capture on a phone or tablet that syncs when it reconnects keeps the record contemporaneous, which is precisely what gives it weight. Real-time capture on a handheld is worth understanding in its own right; see Real-time logging.
Ask the vendor: “Does the mobile app work with no signal in a basement, and when is the timestamp set — at capture or at sync?”
Red flag: a system that only works at a desk.
Whose data is it, and can you get it out?
Records have to outlive the contract. L8 expects monitoring and inspection records to be retained for a defined period [1], which means your data must survive a change of supplier, a price rise, or the vendor going out of business. Insist on a clean export of the full history — readings, evidence, audit trail and all — in an open, searchable format, not a locked PDF pack.
Ask the vendor: “If we leave you tomorrow, what exactly do we get back, in what format, and how long do we keep access?”
Red flag: data you can see but cannot extract, or an export that quietly drops the audit trail and leaves you with summaries.
The trade-offs nobody mentions
A digital logbook is not free of cost beyond the licence. It moves effort to the front: someone has to build the asset register and the schedule properly, or you have automated the wrong checks faithfully. It also raises the floor on discipline — a missed task that paper would have hidden is now visibly, datedly missing. That feels worse, and it is the whole point.
There is a competence question too. The software records what competent people did; it does not make anyone competent. If the underlying scheme is wrong, a polished platform documents the wrong thing with great precision. The Legionella Control Association’s code of conduct is a useful reference when judging whether the people doing the work — in-house or contracted — are up to it [3].
When a digital system is the wrong buy
If you run a single small building with a handful of outlets and a well-kept paper logbook an inspector could read in five minutes, software may add admin without adding control. The case for buying strengthens as outlets multiply, sites spread out, staff turn over, and the day you have to reconstruct a year of history for someone hostile grows more likely. Buy when the volume of evidence has outgrown what a person can reliably chase by hand — not because digital sounds more modern. If you are moving across from paper, do it deliberately rather than overnight; Setting up a digital Legionella logbook covers the migration without losing your history.
Before you sit through a demo
Two things to hold onto. First, software stores evidence; it does not create control. No platform sets your monitoring frequencies, decides your temperature limits, or judges whether a low-use outlet is a real risk — that is the work of a competent, site-specific risk assessment, and the references here are general guidance to confirm against L8 and HSG274, not settings to copy across [1] [2]. A system that keeps immaculate records of the wrong checks is worse than a notebook of the right ones.
Second, test before you trust. Take your current written scheme, pick the three outlets that give you the most trouble, and ask each vendor to show you a full year of those three outlets’ history in their system — exceptions, missed tasks, close-outs and all. The product that handles your worst three outlets cleanly is the one worth buying. The rest is presentation.
FAQ
Will switching to software make us compliant?
No. Compliance comes from a sound risk assessment, a written scheme and competent people carrying it out; the software only proves that the work happened and makes the gaps visible. A digital logbook of checks your scheme never specified is tidy but worthless.
Can an HSE inspector reject digital records?
There is nothing inherently unacceptable about digital records, provided they show what paper would have shown — who did each task, when, the result, and what happened when something was out of range [1]. What fails an inspection is records that cannot be trusted, are full of gaps, or hide failures inside an average — on paper or on screen.
What do we do with years of paper logs when we move across?
Keep them. The retention expectation does not reset because you changed system [1], so store the legacy logs, scanned or original, for the period your risk assessment and L8 require, and treat the switchover date as a clean boundary rather than back-keying old entries into the new platform.
Sources
[1] HSE, “Legionnaires’ disease. The control of legionella bacteria in water systems — Approved Code of Practice and guidance (L8)”. https://www.hse.gov.uk/pubns/books/l8.htm [2] HSE, “Legionnaires’ disease: Technical guidance (HSG274)”. https://www.hse.gov.uk/pubns/books/hsg274.htm [3] Legionella Control Association, “Code of Conduct for Service Providers”. https://www.legionellacontrol.org.uk/