Legionella risk assessment: the parts that matter

Search for the key components of a Legionella risk assessment and you get the same checklist everywhere: a system description, an asset register, a schematic, the sources of risk, the people at risk, the control measures, the records, the review date. Every item belongs there. None of it is the assessment.

A list of components is a packing list. The risk assessment is the decision those components let you make — which parts of this building’s water could grow and spread Legionella, who would be harmed, and what gets fixed first. Get the parts but miss the decision and you have an expensive document that changes nothing on site.

That is the failure mode worth naming. Plenty of reports are graded on completeness: every section present, every box ticked, signed off. They pass an audit and still leave the maintenance team without a clear, ranked, owned list of what to do on Monday. In my view the components of a Legionella risk assessment only earn their place in the order they unlock a decision.

Four questions, in the order that matters

Treat the standard components not as a list but as evidence gathered to answer four questions in sequence. If a question is unanswered, everything below it is decoration.

1. What have I actually got? This is the system description, the asset register and the schematic — the map of every tank, calorifier, length of pipe and outlet, hot and cold. L8 gives Approved Code of Practice status to assessing the risk, and you cannot assess what you have not first described [1]. BS 8580-1, the dedicated code of practice for Legionella risk assessments, sets out the content expected here [4].

2. Where could Legionella grow, and who would breathe it in? Now you mark the map. Where does water sit warm and still — dead legs, low-use outlets, oversized storage, a hot return that has gone tepid by the far end? Where is there scale, sediment or biofilm to feed it? Then the exposure half: which outlets throw a breathable aerosol — showers, spray taps, some hoses — and who is nearby, and how susceptible are they? HSG274 carries the technical detail behind each of these conditions [2].

3. So how bad is each finding, really? This is risk evaluation and ranking, and it is the part most often lost under a colour-coded matrix that rates everything amber. A real verdict separates “isolate or fix this week” from “monitor and review”. Without it, a team facing thirty findings has no idea which three actually matter.

4. Who owns what next, and when do we look again? The written scheme of control, a named responsible person, each action with an owner and a date, and the triggers that force a review. This is the point where an assessment turns into management.

The component everyone underrates

If one part quietly decides whether the whole assessment is sound, it is the system schematic and the asset register behind it. Reports treat the drawing as an appendix. It is load-bearing — every finding downstream inherits its errors. You cannot assess a dead leg you cannot see.

The trap is that the schematic in the report is often the as-built design, not the building as actually plumbed. Buildings drift. A urinal gets removed and leaves a capped spur. Someone fits a blending valve under a sink. A storage tank is swapped for a smaller one during a refurb and nobody redraws anything. A drawing that no longer matches the pipework hands false confidence to everyone who reads it.

The related blind spot is access. An assessor grades what they were shown on the walk-round. The highest-risk asset is frequently the one nobody opened the door to — the shower in a void room, the locked plant space, the wing that “we don’t really use”. So ask the question most reports never record: what wasn’t accessed, and why? An honest list of what could not be inspected is worth more than a confident assessment of only the easy half.

Turning the components into action

The habit that separates a useful assessment from a tidy one is writing down the decision, not just the finding. “Dead leg on the third-floor washroom spur” is a finding. “Dead leg on the third-floor spur — remove at next planned works, flush weekly until then, owner M. Shah, re-check at review” is a decision.

The significant findings section is the part an inspector reads first — not the matrix, not the photographs. It should read as a ranked action list any competent person could pick up and run. If your current report buries that under appendices, that is the first thing to fix.

When you are building an assessment from scratch, the sequence in How to carry out a Legionella risk assessment step by step walks through it; for when a finished assessment needs revisiting, When to conduct a Legionella risk assessment covers the triggers that should pull it forward.

Where this framework stops

Four questions organise judgement; they do not replace it. A Legionella risk assessment is site-specific work for a competent person, and the numbers that separate acceptable from unacceptable — temperatures, sampling, monitoring intervals — come from your system and the assessor’s evaluation, not from a framework like this one. Sampling has its place for verification, but HSE is clear that testing frequency should follow the system and the risk assessment rather than a fixed calendar [3]. Use the four questions to check that an assessment is doing its job; use a competent assessor to answer them.

FAQ

What’s the difference between the risk assessment and the written scheme of control?

The assessment finds and ranks the risk — where Legionella could grow and who is exposed. The written scheme of control says how you will manage it day to day: the tasks, temperatures, flushing and checks, and who does them. One diagnoses, the other treats. A common gap is a thorough assessment with no scheme translating it into routine work.

Does a Legionella risk assessment have to include a schematic drawing?

For anything beyond the very simplest system, expect one. The schematic is how both the assessor and your own team can see dead legs, storage and how the system fits together. If yours is missing, or no longer matches the building, treat that as a finding in its own right rather than a missing appendix.

Who is allowed to carry out a Legionella risk assessment?

Someone competent — with the right knowledge, experience and equipment for your particular system. It can be in-house or contracted, but the duty holder stays accountable for choosing a competent assessor and acting on what comes back [3]. Outsourcing the survey does not outsource the responsibility.

Your next step

Pull your current risk assessment and run one test on it: take the three highest-rated findings and check that each has a named owner and a date against it. If you cannot, the assessment has not finished its job yet — and closing that gap matters more than booking the next survey.

Sources

[1] HSE, “Legionnaires’ disease. The control of legionella bacteria in water systems — Approved Code of Practice and guidance (L8)”. https://www.hse.gov.uk/pubns/books/l8.htm [2] HSE, “Legionnaires’ disease: Technical guidance (HSG274)”. https://www.hse.gov.uk/pubns/books/hsg274.htm [3] HSE, “Testing and monitoring your water system for legionella”. https://www.hse.gov.uk/legionnaires/testing-monitoring-water-system.htm [4] BSI, “BS 8580-1:2019 — Risk assessments for Legionella control. Code of practice”. https://knowledge.bsigroup.com/products/water-quality-risk-assessments-for-legionella-control-code-of-practice-1

Key components of a Legionella risk assessment