An environmental health officer asks to see your Legionella paperwork. You hand over a full folder — risk assessment, a year of monthly temperatures, a clean lab certificate. Ten minutes later there is an improvement notice on the desk. Nothing in the folder was faked. The building had simply been run to a misreading of the guidance, not to the guidance itself.
That is how most Legionella enforcement actually happens. Not exotic engineering, but ordinary mistakes about what HSE expects: a figure read as a box to tick, an Approved Code of Practice mistaken for the statute, a sample treated as a clean bill of health. The two documents duty holders are meant to be working from — the Approved Code of Practice L8 and the technical guidance HSG274 [1][2] — are not especially long or contradictory. They get paraphrased on site until they mean something they never said.
The good news is that these guidance misunderstandings are predictable, and a predictable mistake is a preventable one. Here are the ones that turn up most often in UK buildings: what each looks like in practice, why it takes hold, and how to put it right.
The misreadings that cause the most trouble
”L8 is the law” — or “L8 is only guidance”
Both versions are wrong, and they fail in opposite directions. One duty holder treats every line of the ACoP as black-letter law and panics; another writes it off as advice they can safely ignore. The legal duties actually sit in the Health and Safety at Work etc. Act 1974 and COSHH. L8 is an Approved Code of Practice, which carries a particular status: follow the relevant parts and you are doing enough, but depart from them and you have to show you achieved the same protection another way — otherwise a court can treat the gap as evidence against you [1][3]. The fix is to read ACoP L8 as the benchmark you either meet or consciously better, never as optional and never as a rulebook to obey without understanding why.
Ticking the temperature box instead of controlling temperature
The classic tell is a monitoring sheet full of single readings, each ticked because it touched a target number once. It happens because numbers are easy to audit and the intent behind them is not. But the figures are a proxy for sustained conditions — hot water kept hot through storage and distribution, cold water kept genuinely cold, and how long an outlet has to run before it gets there [6]. A tap that reaches its target only after two minutes is telling you something a tap that reaches it in twenty seconds is not. Record how the reading was taken, not just the digit, and treat a slowly drifting trend as the early warning it is.
The “two-year review” myth
A reminder pops up to “renew” the risk assessment every two years, and nothing is looked at in between. The myth takes hold because contractors quote a review cycle and people hear a legal deadline. There is not one. The Legionella risk assessment review should happen regularly and, more importantly, whenever there is reason to suspect the assessment is no longer valid — a system alteration, a changed occupancy or use pattern, new vulnerable people exposed, or a control that has been failing [3][5]. A two-year-old assessment for an unchanged building may be perfectly current; a six-month-old one for a site that has mothballed a wing is already out of date.
Mistaking sampling for control
Here the annual sample becomes the headline proof of safety, and temperature and flushing records get treated as background noise. A lab number feels objective; daily control feels like chores. The trouble is that Legionella sampling verifies — it does not control. HSE guidance is clear that testing frequency follows the system and the risk assessment rather than a fixed calendar, and any result describes one outlet at one moment [4]. Control is temperature, movement and cleanliness; the sample only tells you whether that control is holding. If your evidence of safety is mostly certificates rather than conditions, you have the order backwards — the same inversion behind many of the savings dissected in Cutting corners.
Reading “low risk” as “nothing to do”
A risk assessment concludes low risk, gets filed, and then nothing follows: no written scheme, no monitoring, no review date. The cousin of this is “we have no cooling tower, so none of it applies.” Both misread the conclusion. A low-risk finding is a justified decision about a real system, not an exemption — it still has to be recorded properly, kept current, and backed by proportionate control [3][5]. A hot-and-cold water system in any occupied building carries duties whether or not there is a tower on the roof.
Assuming the contractor’s certificate is your compliance
“Our water hygiene company handles all of it” is one of the most expensive sentences in the building. Outsourcing the tasks feels like outsourcing the duty, but it is not. The duty holder keeps accountability and oversight; bringing in a competent person is sensible and expected, yet the responsible person still has to understand what is being done and check that it is [3]. A certificate proves a visit happened. It does not prove you were in control between visits.
If you fix only one thing
Stop auditing tasks and start auditing decisions. For every control on site, you should be able to say in a sentence why it exists, what result is unacceptable, and what happens when that result appears. “This outlet is flushed weekly because it is used intermittently; a missed flush goes to the responsible person; repeated misses trigger a use-pattern review” is worth more than a year of unexplained ticks. That is also exactly what a serious audit goes looking for — The importance of regular audits shows how that scrutiny plays out in practice.
So this week, pull your last risk assessment and one month of monitoring and, for each control, write that single sentence. The first control you cannot explain is your first real gap — and it is far cheaper to find it yourself than to have an inspector point at it.
A note on applying any of this
None of the above is legal advice, and no web page can sign off your building. Where it differs from a competent person who has actually walked your plant rooms, risers and outlets, follow them. The temperatures, intervals and actions HSE publishes are starting points; a site-specific assessment is what turns them into decisions for your particular system and the people who use it.
FAQ
Is ACoP L8 actually the law, or just guidance?
Neither, exactly. The legal duties sit in the Health and Safety at Work etc. Act 1974 and COSHH. L8 is an Approved Code of Practice, which has special legal status: follow the relevant provisions and you are doing enough, but depart from them and you must show you achieved equivalent protection another way — or a court can treat the shortfall as evidence against you [1][3].
Does our Legionella risk assessment have to be reviewed every two years?
There is no fixed statutory interval. Review it regularly and, crucially, whenever there is reason to think it is no longer valid — a change to the system, the use pattern, the people exposed, or a control that has been failing [3][5]. A two-year prompt is a reasonable default, not a legal deadline, and it does not excuse leaving a changed building unreviewed in between.
If the assessment says “low risk”, is there anything left to do?
Yes. A low-risk conclusion still has to be recorded, kept current, and supported by proportionate control and review [3][5]. It is a justified decision about a real water system, not a release from the duty — and “no cooling tower” does not mean “no obligations”.
Sources
[1] HSE, “Legionnaires’ disease. The control of legionella bacteria in water systems - Approved Code of Practice and guidance (L8)”. https://www.hse.gov.uk/pubns/books/l8.htm [2] HSE, “Legionnaires’ disease: Technical guidance (HSG274)”. https://www.hse.gov.uk/pubns/books/hsg274.htm [3] HSE, “Legionnaires’ disease - what you must do”. https://www.hse.gov.uk/legionnaires/what-you-must-do/index.htm [4] HSE, “Testing and monitoring your water system for legionella”. https://www.hse.gov.uk/legionnaires/testing-monitoring-water-system.htm [5] BSI, “BS 8580-1:2019 - Risk assessments for Legionella control. Code of practice”. https://knowledge.bsigroup.com/products/water-quality-risk-assessments-for-legionella-control-code-of-practice-1 [6] HSE, “Hot and cold water systems”. https://www.hse.gov.uk/legionnaires/hot-and-cold.htm