---
title: "How to carry out a Legionella risk assessment step by step"
source_url: https://legionella.io/articles/how-to-carry-out-a-legionella-risk-assessment-step-by-step/
canonical_url: https://legionella.io/articles/how-to-carry-out-a-legionella-risk-assessment-step-by-step/
pillar: "Legionella Risk Assessment"
summary: "A practical UK walk-through of a Legionella risk assessment: survey the system, rank what you find, and write a control scheme your team will actually use."
primary_keyword: "Legionella risk step by step"
date_published: 2025-06-05
date_reviewed: 2026-06-26
author: "Legionella.io editorial team (REMOTE TECH LTD)"
reviewed_against: "HSE L8 and HSG274 guidance"
region: "United Kingdom"
license: "(c) REMOTE TECH LTD. Quote freely with attribution and a link to source_url."
---

# How to carry out a Legionella risk assessment step by step

A Legionella risk assessment is not a form you complete once and file. It is the document that decides what gets checked on your site, how often, and what happens when a reading comes back wrong. Done properly it changes what people do. Done badly it sits in a drawer while the water carries on doing as it pleases.

Taken step by step, the work splits into five stages: understand the system, survey it, judge where the bacteria could grow and reach people, rank what you find, and write it up so the people maintaining the building can act on it. What follows is how to do each stage, what a good result looks like, and the mistake that catches people out at that point.

## Before you pick up a clipboard

Two questions shape how you approach the job. How complicated is the system — a small office on mains-fed combi boilers is a world away from a building with stored hot and cold water, long pipe runs, a cooling tower or a spa pool. And is the person doing the assessment competent to judge what they are looking at? HSE guidance is plain that the duty holder must appoint someone competent to assess the risk, and for anything past a simple system that usually means a trained assessor [3]. BS 8580-1 sets out the recognised method and HSG274 the technical detail on the controls you will be assessing — worth having both to hand, in-house or contracted [2][4].

Before the walk-round, get these in front of you:

- An up-to-date schematic of the water system — or the willingness to draw one as you go.
- Existing records: the previous assessment, temperature logs, cleaning and disinfection records, sampling reports and the logbook.
- Access to plant rooms, roof tanks, riser cupboards and a representative sample of occupied areas.
- Enough uninterrupted time to follow the whole system, not just the parts at eye level.

## The assessment, step by step

### Step 1 — Understand the system before you inspect it

Read the schematic and the building before you touch a tap. Where does water enter, where is it stored, how does it reach the furthest outlet, and what is the heating and return arrangement? Just as important: who uses the building, how is it occupied through the week, and is anyone using it more vulnerable to infection?

Good looks like being able to trace water from the main to every outlet and name who stands in front of each one. The common slip is starting the walk-round with no drawing, so you assess what is visible and miss what is boxed in behind a panel.

### Step 2 — Survey the system and build an asset register

Now walk it. List every storage tank, calorifier or cylinder, pump, thermostatic mixing valve and outlet. Record temperatures at representative (sentinel) points, note pipe materials and condition, and flag dead legs, blind ends and outlets that are barely used. The asset register is the backbone of everything that follows.

Good looks like every outlet accounted for, each tagged with how often it is used and whether it produces a spray. The classic mistake is counting rooms instead of outlets, and walking straight past the capped pipe serving a basin removed two refurbishments ago. HSE lists the systems most likely to generate risk — cooling towers, hot and cold water systems, spa pools — and those deserve the most scrutiny [5].

### Step 3 — Decide where Legionella could grow and who could breathe it in

This is the actual risk judgement, and it comes down to two conditions meeting: water sitting warm and still long enough for the bacteria to multiply, and a way for that water to be inhaled as a fine aerosol [7]. Cross your asset register against both. Flag the tepid zones, the dead legs, the low-use shower, the oversized cold tank in a warm plant room, the hot return gone lukewarm by the far wing. Then map the people: who stands in front of each aerosol-producing outlet, and are any of them older, unwell or otherwise more susceptible?

Good looks like a clear statement of where growth is plausible and who would be exposed if it happened (for a deeper checklist of what to look for, see [Identifying Legionella hazards in your water system](https://legionella.io/articles/identifying-legionella-hazards-in-your-water-system/)). The slip is treating every outlet as equal — a tap that fills a mop bucket is not the same hazard as a shower nobody has run in a fortnight.

### Step 4 — Rank what you found

A flat list of sixty observations helps no one. For each hazard, weigh how likely growth is against who is exposed and how serious that exposure would be, and separate immediate defects from underlying management weaknesses. A missing logbook and a stagnant shower over a vulnerable user are not the same priority. Good looks like a prioritised list where each item carries an owner and a timescale — a set of decisions someone can act on Monday morning, not a survey of facts.

### Step 5 — Write it up as a scheme people will actually use

Turn the findings into a written scheme of control: a description of the system, the risks identified, the control measures, the result that counts as acceptable, who monitors what and how often, who owns each action, and when the assessment is next reviewed. [Key components of a Legionella risk assessment](https://legionella.io/articles/key-components-of-a-legionella-risk-assessment/) breaks down each of those components in detail. L8 gives risk assessment and the review of controls Approved Code of Practice status, so this is a core duty, not an optional survey [1]. Keep the language plain.

Good looks like a maintenance technician being able to pick it up and know exactly what to do and what "in range" means. The slip is a technically impressive document that nobody on the ground can read.

## Turning a finding into the right action

Ranking tells you the order; this is how to decide what kind of response each finding needs. Start with the finding in front of you and work down:

- Could it expose someone to a water aerosol right now — a spray outlet in use, a visibly fouled system, a cooling tower out of control? Treat it as immediate. Isolate, restrict use or correct it before you move on; it does not belong in a routine scheme.
- If not immediate, is a control simply slipping — hot water not hot, cold water not cold, an outlet barely used, a dead leg holding warm water? Put it in the written scheme with a named control, an acceptable result, a frequency and an owner.
- If not that, is it built into the building — redundant pipework, an oversized tank, a layout that cannot hold temperature? Schedule remedial work, and set an interim control to hold the line until it is done.
- If not that, is it a management gap — no logbook, no named responsible person, readings taken but never reviewed? Fix the system around the water, not just the water.
- If none of the above, record it as monitored and give it a review date.

## How often to repeat it

A risk assessment is a living document, not an annual ritual. Review it at regular intervals — commonly cited as at least every couple of years — and, more importantly, whenever something changes: alterations to the system, a different use pattern, more vulnerable occupants, a new water-treatment contractor, or readings that drift out of range [1][2]. Confirm the right interval for your own system rather than defaulting to a calendar date.

## How to tell your assessment is any good

A sound assessment is readable, every action is owned and dated, the findings are ranked, and — the real test — it changes what happens on site. Sampling has a place here, but as verification or investigation, not as the assessment itself; HSE is clear that testing frequency should follow the system and the risk assessment rather than a fixed schedule [6]. A clean sample from a system you do not actually control is false comfort.

## Scope and competence: the honest limits

None of this sets the temperatures, dwell times, frequencies or limits for your building — those come out of the assessment itself, applied by someone competent to the system in front of them. A simple, low-risk system may be well within a trained responsible person's reach; a healthcare site, a building with a cooling tower, or anywhere with vulnerable users is a different matter and needs demonstrable competence. Treat the steps above as a way to structure the work, not as legal, medical or engineering advice for your specific premises.

## FAQ

### Can I carry out a Legionella risk assessment myself, or do I have to bring in a specialist?
For a small, simple system a competent responsible person can often do it, provided they genuinely understand the pipework and the controls. The moment you have stored water, a cooling tower, a spa or vulnerable users, the bar for competence rises and most duty holders appoint a trained assessor [3]. The duty to ensure it is done by someone competent stays with you either way.

### How long does a Legionella risk assessment take?
It depends almost entirely on the size and complexity of the system and how good the existing records are. A single small building with a clear schematic might be a few hours on site; a large, poorly documented estate with many outlets is a much bigger job. Rushing the survey to save time is usually where things get missed.

### Does a risk assessment mean taking water samples?
Not by default. The assessment is about understanding and controlling conditions — temperature, stagnation and cleanliness — not routine testing. Sampling is used where the risk assessment calls for it, to verify control or investigate a problem, and its frequency follows the system rather than a set timetable [6].

## Related reading

- [Duty Holder and Responsible Person roles in Legionella management](https://legionella.io/articles/duty-holder-and-responsible-person-roles-in-legionella-management/)
- [Thermostatic mixing valves and Legionella risk](https://legionella.io/articles/thermostatic-mixing-valves-and-legionella-risk/)
- [Key components of a Legionella risk assessment](https://legionella.io/articles/key-components-of-a-legionella-risk-assessment/)

## Sources

[1] HSE, "Legionnaires' disease. The control of legionella bacteria in water systems - Approved Code of Practice and guidance (L8)". https://www.hse.gov.uk/pubns/books/l8.htm
[2] HSE, "Legionnaires' disease: Technical guidance (HSG274)". https://www.hse.gov.uk/pubns/books/hsg274.htm
[3] HSE, "Legionnaires' disease - what you must do". https://www.hse.gov.uk/legionnaires/what-you-must-do/index.htm
[4] BSI, "BS 8580-1:2019 - Risk assessments for Legionella control. Code of practice". https://knowledge.bsigroup.com/products/water-quality-risk-assessments-for-legionella-control-code-of-practice-1
[5] HSE, "Systems most likely to create legionella risk". https://www.hse.gov.uk/legionnaires/risk-systems.htm
[6] HSE, "Testing and monitoring your water system for legionella". https://www.hse.gov.uk/legionnaires/testing-monitoring-water-system.htm
[7] CDC, "How Legionella Spreads". https://www.cdc.gov/legionella/causes/index.html