A spreadsheet costs nothing, opens on any laptop, and bends to whatever columns you fancy. That flexibility is exactly why it tends to fail an audit. The real choice is not free versus paid. It is an unconstrained file one person maintains against a constrained system that records who did what, and when, and won’t quietly let the past be edited.
So before you copy last year’s tab and rename it, decide what these records are actually for. If they only have to satisfy you, a spreadsheet is fine. If they have to satisfy an inspector, an insurer or an incoming responsible person who has never met you, the requirements change.
The decision you’re actually making
L8 expects duty holders to keep records of monitoring and the management arrangements, and to be able to produce them on request [1]. The frequency of monitoring and what gets recorded is set by your site risk assessment, not by the tool [2]. Both a spreadsheet and an app can hold the numbers. The difference is everything around the numbers: who entered them, whether they were entered on the day or backfilled in a panic, and whether anyone has changed a reading since.
A spreadsheet treats every cell as equally editable forever. That is its strength as a calculator and its weakness as a record. A reading from March can be overwritten in November and the file looks identical afterwards. No prompt, no trace, no second person any the wiser.
A dedicated app inverts that. It is harder to bend, deliberately, because a compliance record is supposed to be hard to bend.
The axes that decide it
Four things separate these tools in practice. Ignore feature lists and judge on these.
Cost. A spreadsheet’s licence is effectively nil. Its real cost is the hours someone spends maintaining it, chasing missing entries, and rebuilding an evidence pack from four versions named “final”. An app carries a visible subscription and the friction of those costs largely moves onto the vendor. Whether that trade pays back depends on how often you have to prove anything, a point worth weighing properly in a cost-benefit analysis.
Error risk. Manual cells invite fat-finger mistakes, a flush logged against the wrong asset, a date that autocorrects to the wrong year. Worse, a stray edit to one formula can silently mislabel weeks of temperature readings as “pass”. An app constrains input to known assets, known tasks and sane values, so the common slips get caught at the point of entry.
Audit-readiness. This is where the gap is widest. An inspector wants to see twelve months of evidence quickly and trust it. A spreadsheet offers no native audit trail and no real version history once the file is copied or emailed around. An app timestamps each entry, ties it to a named person, and keeps superseded values rather than discarding them.
Who maintains it. A spreadsheet usually lives with one capable person. When they leave, the formulas, the colour rules and the unwritten conventions leave with them. An app’s structure survives staff turnover, which matters more than most teams admit until a handover goes badly.
Spreadsheet vs dedicated app, side by side
| Decision axis | Excel / Google Sheets | Dedicated Legionella app |
|---|---|---|
| Up-front cost | Effectively free; uses tools you own | Subscription, usually per site or asset |
| Real ongoing cost | Your time: chasing, reconciling, rebuilding packs | Lower admin friction; vendor carries the upkeep |
| Error control | Open cells; a broken formula can mislabel readings | Input constrained to known assets, tasks and ranges |
| Audit trail | None native; edits leave no trace | Timestamped entries tied to a named user |
| Version history | Lost the moment the file is copied or emailed | Superseded values retained, not overwritten |
| Tamper-evidence | A past reading can be changed invisibly | Changes are logged and visible |
| Scheduling / reminders | Manual; you remember or you don’t | Tasks due and overdue surfaced automatically |
| Survives staff turnover | Tends to leave with its author | Structure persists regardless of who’s on shift |
Which to pick, and when
Spreadsheets are not the wrong answer for everyone. The pragmatic call is this.
A spreadsheet is defensible when the estate is small and stable, one diligent person owns it, the assets barely change, and you are realistic that its value rests on that person’s discipline rather than any built-in control. A single small building with a couple of calorifiers and a handful of sentinel outlets can be run well from a sheet for years.
A dedicated app earns its keep once any of these is true: multiple sites or many assets, contractors logging alongside in-house staff, real staff turnover, or a history of audits, insurer queries or a past incident that makes provable records non-negotiable. In my view the tipping point is people, not asset count. The moment more than one person touches the record, the spreadsheet’s lack of a trustworthy audit trail starts to cost you. The features that close that gap are worth knowing in detail before you buy, and effective record-keeping software covers what to insist on.
The caveats worth stating
An app is not a free pass. It records what people enter, so a constrained system fed lazy data is still a weak record. And colour-coded “pass/fail” flags in a spreadsheet are only as honest as the formula behind them; the day someone edits that formula, every cell it touches lies in unison. That single failure mode, a quiet change to logic that governs many readings at once, is the one I would lose sleep over on a spreadsheet.
None of this replaces a site-specific judgement. The control limits your temperatures are checked against, how often you monitor, and what must be retained all come from a competent person working through your own risk assessment under ACoP L8 and HSG274 [1][2]. Treat the spreadsheet-versus-app question as a records decision sitting underneath that assessment, not a substitute for it.
If you want to test where you stand today, try one thing this week. Take a temperature reading from six months ago in your current spreadsheet, change it, save, and ask a colleague whether they could tell. If the honest answer is no, you have just found the reason audit-grade records usually move off Excel. Switching from a spreadsheet to a digital logbook is the same step many teams take after they fail that test, and it is easier to plan deliberately than to do in a rush before an inspection.
FAQ
Can a locked, macro-protected spreadsheet pass as a compliant record?
Locking cells and protecting sheets helps with accidental edits, but it is not the same as an audit trail. Protection can be removed by anyone with the password or the file, and it still won’t tell an inspector who entered a reading or whether it was changed later. It reduces error risk; it does not give you tamper-evidence.
Will an inspector actually reject a spreadsheet?
Not automatically. HSE guidance focuses on whether you can produce records of monitoring and management arrangements, not on the file format [1]. A clean, complete, well-kept spreadsheet can satisfy that. The risk is not the format itself but the gaps, the unexplained edits and the missing trail of who did what, which spreadsheets make harder to defend.
What does “tamper-evident” really mean for these records?
It means a changed entry leaves a visible mark: the old value is retained, the edit is timestamped, and it is attributed to a person. A spreadsheet overwrites the past silently. A dedicated app keeps the superseded reading alongside the change, so the history of a record is itself part of the record.
Sources
[1] HSE, “Legionnaires’ disease. The control of legionella bacteria in water systems - ACoP and guidance (L8)”. https://www.hse.gov.uk/pubns/books/l8.htm [2] HSE, “Legionnaires’ disease: Technical guidance (HSG274)”. https://www.hse.gov.uk/pubns/books/hsg274.htm