--- title: "Reviewing and updating your Legionella risk assessment regularly" source_url: https://legionella.io/articles/reviewing-and-updating-your-legionella-risk-assessment-regularly/ canonical_url: https://legionella.io/articles/reviewing-and-updating-your-legionella-risk-assessment-regularly/ pillar: "Legionella Risk Assessment" summary: "Run a Legionella risk assessment review that catches control drift early: the triggers that should restart it, plus a symptom-to-action flow for UK sites." primary_keyword: "risk assessment review" date_published: 2025-09-03 date_reviewed: 2026-06-26 author: "Legionella.io editorial team (REMOTE TECH LTD)" reviewed_against: "HSE L8 and HSG274 guidance" region: "United Kingdom" license: "(c) REMOTE TECH LTD. Quote freely with attribution and a link to source_url." --- # Reviewing and updating your Legionella risk assessment regularly The risk assessment that gets a site into trouble is rarely the one that found faults. It is the one sitting in a folder, dated three summers ago, describing a water system that has quietly moved on. A calorifier has been swapped for a different model. A mothballed wing is back in use. Someone fitted a flexible hose under a third-floor basin during a refit and never told anyone. The document still reads "low risk", and everyone believes it. So a review is not a re-typing job. It is the point where you deliberately go hunting for the gap between the paper and the pipework, then decide what would keep that gap from opening again. That framing changes how you read your own assessment. You stop skimming for typos and start treating each control as a claim to be tested: is this still true on site today? ## Stop waiting for the calendar The instinct is to review on a fixed date and tick the box. The trouble is that water systems do not change on a schedule. They change when a contractor, a refurbishment or a shift in occupancy changes them. UK guidance reflects this: an assessment should be reviewed regularly, and specifically whenever there is reason to believe it is no longer valid [1][2]. In practice, the events that should restart the clock, roughly in order of how often they catch people out: - **The system changed.** New plant, replaced calorifiers, re-routed pipework, an outlet added or removed, insulation stripped during unrelated works. - **The use changed.** A floor reopened after closure, a department relocated, a building running at a fraction of design occupancy, a let property sitting empty between tenants. - **The people changed.** A new responsible person, a different water-treatment contractor, a maintenance team that has inherited the system without the history. - **The evidence changed.** Monitoring drifting out of range, the same tasks missed week after week, a sample result that raises questions, a complaint about temperature. - **Something happened.** A suspected or confirmed case linked to the building, which moves you out of routine review entirely (see escalation below). Only one of those is the calendar. A maximum interval still has its place: many duty holders work to one, commonly cited as around two years, but it is a backstop rather than the main event [1]. The trigger-based reviews are where the real risk lives. ## Working a review backwards: symptom to action The fault-finding mindset starts with a symptom, not the report. You notice something on site or in the records, then trace it back until you find the management weakness behind it. Use the table below as a diagnostic path: confirm the symptom, find the likely cause, run the check that proves it, then act. | What you notice | Most likely cause | The check that confirms it | What to do | | --- | --- | --- | --- | | A logged outlet you don't recognise, or readings recorded for points not on the asset register | The register and schematics are out of date; plumbing changed since the last survey | Walk the affected branch against the schematic and asset list | Update the register and written scheme; reassess that branch's risk | | A "cold" outlet running warm even though controls pass elsewhere | A nearby heat source, a re-routed pipe, or insulation removed during other works | Feel or measure the run; look for hot pipes or plant sharing the same void | Re-rank that asset, restore insulation or separation, then reassess | | A wing or floor back in use after a spell closed | The assessment assumed continuous use that never happened | Compare the occupancy record against the use pattern the assessment relied on | Add a flushing or recommissioning regime; sample if the risk assessment calls for it | | The same outlets failing flushing week after week | The control scheme does not match real staffing or real use | Read the task-completion records, not the intentions written into the scheme | Simplify the regime, remove genuinely redundant outlets, reassign the owner | | A TMV or flexible hose on site that the assessment never mentions | A change made through maintenance without updating the assessment | Cross-check maintenance and purchase records against the register | Assess the new fitting, fold it into the scheme, and fix the change process | The pattern worth watching: if the same weakness turns up in more than one row, you are not looking at isolated defects. You are looking at a process that lets the system change without the assessment keeping up, and that process is the thing to fix. ## When a finding can't wait for the cycle Some findings are not "note it for next time" items. A suspected or confirmed case of Legionnaires' disease associated with the building, a control that has failed across a whole system rather than one outlet, or a high-risk asset found completely unmanaged: these need action now, and usually a competent person rather than an in-house tidy-up [3]. The review then records what was done and why, so the decision holds up to scrutiny later. This is where honesty about limits matters. General guidance and a tidy table do not replace a site-specific assessment carried out by someone competent for your building. The temperatures, the monitoring frequency and what counts as an acceptable result are set by your own risk assessment and the way your system is built and used, not by a figure copied from a web page [4]. Where a number drives a real decision, check it against the current HSE and BSI guidance for your situation before you act on it. ## Before your next review You do not need to wait for the review date to start. This week, take your current risk assessment and walk one part of the building with it in hand: a plant room, a rarely-used wing, a top floor. For every outlet and asset you pass, ask one question. Does the document still describe what is actually here? Mark every mismatch. That list of mismatches is your real review agenda, and it will be more useful than anything the calendar produces. If the asset register and schematics turn out to be the weak link, and they usually are, start there. [Acting on your risk assessment](https://legionella.io/articles/acting-on-your-risk-assessment-setting-priorities/) covers turning those findings into ranked actions, and [Common issues found in Legionella risk assessments](https://legionella.io/articles/common-issues-found-in-legionella-risk-assessments/) maps the faults reviews most often surface. ## FAQ ### How often does a Legionella risk assessment legally have to be reviewed? There is no single fixed interval written into law. The expectation is that you review it regularly, and whenever there is reason to believe it is no longer valid, after changes to the system, its use, the people responsible, or the monitoring evidence [1][2]. Many sites also set a maximum interval as a backstop, commonly cited as around two years, but the change-driven reviews carry more weight than the date on the cover. ### A single new tap was fitted, so does that mean a full reassessment? Usually not a full rewrite, but the change cannot go unrecorded. Update the asset register, then assess the branch it sits on. The test is whether the change affects how water is stored, heated, kept moving, or delivered to people. One tap on a busy run may barely move the risk; the same tap on a dead leg in a quiet corner is a different conversation. ### Can we review it in-house, or does it need an external assessor? Competence is the requirement, not job title [5]. Routine in-house checks against the document, asking whether it still matches the site, are valuable and should happen between formal reviews. After a significant change, or where you lack the competence to judge the risk, a competent assessor is the safer call. Either way, accountability stays with the responsible person. ## Related reading - [Acting on your risk assessment: setting priorities](https://legionella.io/articles/acting-on-your-risk-assessment-setting-priorities/) - [Common issues found in Legionella risk assessments](https://legionella.io/articles/common-issues-found-in-legionella-risk-assessments/) - [Water Safety Plans: best practice vs legal requirement](https://legionella.io/articles/water-safety-plans-best-practice-vs-legal-requirement/) - [TMV maintenance: balancing scald risk and Legionella control](https://legionella.io/articles/tmv-maintenance-balancing-scald-risk-and-legionella-control/) ## Sources [1] HSE, "Legionnaires' disease. The control of legionella bacteria in water systems — Approved Code of Practice and guidance (L8)". https://www.hse.gov.uk/pubns/books/l8.htm [2] HSE, "Legionnaires' disease: Technical guidance (HSG274)". https://www.hse.gov.uk/pubns/books/hsg274.htm [3] HSE, "Legionnaires' disease — what you must do". https://www.hse.gov.uk/legionnaires/what-you-must-do/index.htm [4] HSE, "Testing and monitoring your water system for legionella". https://www.hse.gov.uk/legionnaires/testing-monitoring-water-system.htm [5] BSI, "BS 8580-1:2019 — Risk assessments for Legionella control. Code of practice". https://knowledge.bsigroup.com/products/water-quality-risk-assessments-for-legionella-control-code-of-practice-1