A risk assessment tells you what was wrong with your water system on the day someone inspected it. A Water Safety Plan is how you keep it right every day after that. The gap between those two things is where most sites quietly stall: the report lands, the obvious defects get fixed, and the rest becomes a PDF on a shared drive that nobody opens until the next survey.

The work now is to turn findings into a managed system — named owners, control limits, live records and a real review cycle — instead of a one-off document. It does not have to read like a hospital’s. It does have to be alive.

What the plan has to be built on

Three things need to be in place first, or everything above them rests on sand.

  • A risk assessment you genuinely trust, produced to a recognised standard. BS 8580-1 is the code of practice for Legionella risk assessment [5], and L8 gives the assessment and the review of controls Approved Code of Practice status — so this is a duty, not an optional survey [2]. If yours reads like a tick-box export, fix that before you build anything on it. The key components of a sound assessment are worth checking against.
  • A written scheme of control: the document that says how each risk is actually managed [2].
  • A person with the authority to decide and to spend. A plan signed off by someone who cannot release a purchase order is decoration.

The scope decision people skip

Before any steps, settle one question: is this a Legionella plan, or a water safety plan? They are not the same thing.

BS 8680 frames a water safety plan around the whole water system and the range of waterborne hazards it can carry, not Legionella alone — scalding, Pseudomonas and other organisms, system contamination after works [1]. The approach traces back to the World Health Organization’s water-safety-in-buildings model, which treats the building’s water as a managed supply from incoming main to final outlet [7]. For a standard office, your written scheme may be all the law expects of you. For a care home, a hospital wing, a leisure site or a large mixed estate, a fuller plan is the honest next step — and in healthcare, HTM 04-01 sets the bar and expects a constituted water safety group behind it [6]. Decide this deliberately. If you want the broader version, developing a comprehensive water safety plan covers the full shape; the steps below assume you are extending a Legionella programme outward.

The sequence: from findings to a working plan

Six steps, in order. Each one has a point at which you can call it done — and “done” means a thing you could show an auditor, not a feeling.

  1. Lock the scope and write it down. One paragraph: which buildings, which systems, which hazards, who signed it off. Done when: the scope statement is dated, signed, and short enough that the maintenance team can read it.

  2. Put names against the roles. Duty holder, responsible person, deputies, and for complex or higher-risk sites a water safety group that meets on a schedule. Vague accountability is the failure that precedes most others. Done when: every role has a named person, holiday and absence cover is stated, and the escalation route — who to call when a control is breached — is on one page.

  3. Finish the asset register and the schematic. The assessment should have started both; a plan needs them complete and kept current. Done when: every tank, calorifier, TMV, sentinel outlet and known dead leg is listed, and the drawing matches what you actually find on a walk-round, not what the original design intended.

  4. Convert each finding into an owned action. Build a remedial action plan: every defect becomes a line with a priority, an owner, a deadline and an acceptance criterion. Done when: no finding from the assessment sits without an owner and a written definition of “fixed”.

  5. Give every routine task a limit and a trigger. Temperatures, flushing, cleaning, descaling — each needs an acceptable result and a defined action when the result falls outside it. Set monitoring frequency from the risk assessment and the system, not from a calendar default copied off another site; HSE guidance is clear that testing and monitoring follow the system and its assessment [4], and HSG274 holds the technical detail [3]. Done when: every recurring task has an acceptable range, a record location, and a written “if not, then” response.

  6. Set verification and review triggers. Decide how you will check the controls are working — sampling for verification where the assessment calls for it, internal audit, a management review cadence — and which events force an early review: a system alteration, a change in occupancy or vulnerable users, a contractor change, or a suspected case. Done when: both the routine review date and the event triggers are written into the plan, with a named person who owns each.

Where these plans come apart

A plan can pass an audit on paper and still fail in practice. Three patterns do most of the damage.

The first is drift. The assessment gets reviewed and the plan does not, so within a year they describe different buildings. Tie them together: when the risk assessment changes, the plan is reviewed in the same breath. Continuous, rather than once-a-year, risk assessment makes that link far easier to hold.

The second is the binder nobody opens. If the records live somewhere the people doing the flushing and temperature checks cannot reach, the plan is a story you tell, not a system you run. Put the live records where the work happens.

The third is retrospective ticking — a month of readings entered in one sitting before a visit. That is not a record of control; it is a record of paperwork. A plan only proves anything if its evidence is contemporaneous.

How to tell the plan is real

The test is not the thickness of the document. Pick any control at random and ask the responsible person three things: why does this control exist, what result is acceptable, and what happens when it isn’t met. If they can answer for an outlet they have never personally touched, you have a Water Safety Plan. If the answer is “the contractor handles that,” you have a folder and a hope.

A note on limits

This is general guidance, not a template to fill in and file. BS 8680, L8 and HSG274 are frameworks; the control limits, the monitoring intervals, the depth of governance and whether you need a full water safety plan at all come from your own competent, site-specific assessment and from who your water could actually harm. Where you serve patients, residents or other vulnerable people, the standard rises and HTM 04-01 applies — do not scale a low-risk office approach onto a high-risk building because it was cheaper to copy.

FAQ

Do I legally need a Water Safety Plan, or is a written scheme of control enough?

For many ordinary commercial buildings the legal baseline is a suitable risk assessment and a written scheme of control under L8 and HSG274 [2][3]. A formal Water Safety Plan to BS 8680 is best practice rather than a blanket legal requirement [1] — but for healthcare, complex estates and sites with vulnerable users it becomes the proportionate, expected approach, and in NHS settings HTM 04-01 effectively assumes one [6]. Let your assessment decide which you need.

Is a Water Safety Plan just a longer risk assessment?

No. The assessment is a snapshot judgement of where risk sits and what should change. The plan is the standing management system that carries those judgements forward — roles, control limits, records, verification and review. One is a diagnosis; the other is the treatment plan you keep running.

Who should sit in a water safety group for a non-healthcare site?

There is no fixed list, but the useful core is the duty holder or their delegate, the responsible person, whoever controls maintenance and budget, and your competent water-treatment adviser. Keep it small enough to actually meet. Its job is to own decisions and escalation, not to admire reports — see communicating water risk to the people who fund it.

Your next step

Open your latest risk assessment and the most recent month of monitoring records side by side. Take the first three findings and write, for each, an owner, a deadline and the result that would prove it fixed. That short list is the seed of step four — and the fastest honest way to see whether your current paperwork is a plan or just a survey waiting to expire.

Sources

[1] BSI, “BS 8680:2020 - Water quality. Water safety plans. Code of practice”. https://knowledge.bsigroup.com/products/water-quality-water-safety-plans-code-of-practice [2] HSE, “Legionnaires’ disease. The control of legionella bacteria in water systems - Approved Code of Practice and guidance (L8)”. https://www.hse.gov.uk/pubns/books/l8.htm [3] HSE, “Legionnaires’ disease: Technical guidance (HSG274)”. https://www.hse.gov.uk/pubns/books/hsg274.htm [4] HSE, “Testing and monitoring your water system for legionella”. https://www.hse.gov.uk/legionnaires/testing-monitoring-water-system.htm [5] BSI, “BS 8580-1:2019 - Risk assessments for Legionella control. Code of practice”. https://knowledge.bsigroup.com/products/water-quality-risk-assessments-for-legionella-control-code-of-practice-1 [6] NHS England, “Health Technical Memorandum 04-01: Safe water in healthcare premises”. https://www.england.nhs.uk/publication/safe-water-in-healthcare-premises-htm-04-01/ [7] WHO, “Water safety in buildings”. https://iris.who.int/server/api/core/bitstreams/2c302ce4-bca9-42bc-97b4-ddbe95f0c7f2/content