Legionella Risk Assessment: What UK Employers Must Know

Legionnaires’ disease kills between 30 and 50 people in the UK each year, and many more cases go unreported or are misdiagnosed. The bacteria responsible — Legionella pneumophila — thrive in poorly maintained water systems, and every workplace with a water system is potentially at risk.

UK law requires all employers and building managers to assess and control the risk of legionella in their water systems. Yet legionella risk assessments remain one of the most commonly overlooked health and safety obligations, particularly among small and medium-sized businesses.

This guide explains what legionella is, who needs a risk assessment, what the assessment must cover, and how to maintain ongoing compliance.

What Is Legionella?

Legionella is a genus of bacteria found naturally in freshwater environments such as rivers, lakes and reservoirs. At low concentrations, the bacteria pose little risk. However, when water is stored or distributed in man-made systems at the right temperature (20-45°C), legionella can multiply rapidly to dangerous levels.

People become infected by inhaling small droplets of contaminated water (aerosols), not by drinking it. Common sources of aerosols include:

Showers and taps
Cooling towers and evaporative condensers
Hot tubs and spa pools
Humidifiers and air conditioning systems
Decorative fountains
Fire sprinkler systems (when tested)

Legionnaires’ disease is the most serious form of infection — a severe pneumonia that can be fatal, particularly in vulnerable individuals (older people, smokers, those with underlying health conditions or compromised immune systems). Pontiac fever is a milder, flu-like illness caused by the same bacteria.

The Legal Framework

COSHH Regulations 2002

Legionella is classified as a biological agent under the Control of Substances Hazardous to Health Regulations 2002 (COSHH). This means employers must:

Assess the risk of exposure to legionella
Prevent or adequately control exposure
Monitor the effectiveness of controls
Keep records

COSHH provides the overarching legal framework. The specific application to legionella is detailed in the L8 Approved Code of Practice.

L8 Approved Code of Practice

Legionnaires’ disease: The control of legionella bacteria in water systems (known as L8) is the HSE’s Approved Code of Practice (ACoP) for managing legionella risks. An ACoP has a special legal status: while it is not the law itself, failure to follow its provisions can be used as evidence of non-compliance with the law (COSHH and the Health and Safety at Work etc. Act 1974).

L8 sets out the duties of employers and those responsible for water systems, including:

Identifying and assessing sources of risk
Preparing a written scheme for preventing or controlling the risk
Implementing, managing and monitoring precautions
Keeping records
Appointing a competent person (or persons) to manage the risk

HSG274: Technical Guidance

The HSE supplements L8 with the HSG274 series of technical guidance documents:

HSG274 Part 1: The control of legionella bacteria in evaporative cooling systems
HSG274 Part 2: The control of legionella bacteria in hot and cold water systems
HSG274 Part 3: The control of legionella bacteria in other risk systems

For most employers, Part 2 (hot and cold water systems) is the most relevant, covering the water systems found in offices, shops, factories, hotels, care homes, schools and similar premises.

Health and Safety at Work etc. Act 1974

The general duties under the HSWA also apply. Employers must ensure, so far as is reasonably practicable, the health and safety of their employees and others who may be affected by their undertaking. This includes managing the risk of legionella in water systems under their control.

Who Needs a Legionella Risk Assessment?

The short answer: virtually every employer and building manager.

If you are an employer, a landlord, or someone in control of premises with a water system, you have a duty to assess and manage the risk of legionella. This applies to:

Office buildings with hot and cold water systems
Factories and warehouses with welfare facilities (showers, canteens)
Retail premises with staff and customer facilities
Hotels, restaurants and hospitality venues
Care homes and healthcare facilities (particularly high risk)
Schools, colleges and universities
Leisure facilities with pools, showers or spa equipment
Residential landlords with shared water systems

The only exemption is domestic premises where the occupier controls the water system themselves. If you provide accommodation with communal water systems (e.g. a block of flats with shared hot water), you are responsible.

Common Misconception: “My Premises Are Low Risk”

Many employers assume their premises are low risk because they do not have cooling towers or spa pools. While it is true that these systems present higher risks, every hot and cold water system has the potential to harbour legionella if:

Water is stored or distributed at temperatures between 20°C and 45°C
There are areas of stagnation (dead legs, unused outlets, infrequently used facilities)
There is scale, rust, sludge or biofilm in the system
The system is old, complex or poorly maintained

Even a simple office with a kitchen and toilets requires a legionella risk assessment. The assessment may conclude that the risks are low and that routine management measures are sufficient — but the assessment must still be done and documented.

What the Risk Assessment Must Cover

A legionella risk assessment should be carried out by a competent person — someone with sufficient training, knowledge and experience to identify risks and recommend controls. For simple systems, a trained internal person may be competent. For complex systems or higher-risk premises, an external specialist is usually appropriate.

The Assessment Process

The risk assessment must include:

1. Understanding the Water System

Map the system: Identify all water sources, storage tanks, distribution pipework, outlets and associated equipment
Create a schematic: Produce a schematic diagram of the system showing all components
Identify system characteristics: Note materials, age, complexity and any modifications

2. Identifying Risk Factors

The assessment must consider whether conditions exist that could enable legionella to proliferate. Key risk factors include:

Temperature:

Is the cold water stored or distributed above 20°C?
Is the hot water stored below 60°C or distributed below 50°C?
Are there areas where the temperature falls within the 20-45°C danger zone?

Stagnation:

Are there dead legs (sections of pipework with no flow)?
Are there outlets that are rarely or never used?
Are parts of the building unoccupied for extended periods?
Are there storage tanks that are oversized for the demand?

Nutrients and deposits:

Is there scale or corrosion in the system?
Is there sludge, sediment or biofilm?
Are there materials in the system that could support bacterial growth?

Aerosol generation:

Are there showers, spray taps, cooling towers or other aerosol-generating devices?
Could aerosols reach people (employees, visitors, members of the public)?

3. Identifying Susceptible People

Consider who could be exposed to contaminated aerosols, paying particular attention to vulnerable individuals:

Employees over 45 years of age
Smokers or heavy drinkers
People with chronic respiratory conditions
People with compromised immune systems
Visitors, contractors and members of the public

4. Assessing the Current Controls

Review existing measures to determine whether they are adequate:

Temperature controls (hot water stored at 60°C, distributed at 50°C; cold water below 20°C)
Flushing regimes for infrequently used outlets
Cleaning and disinfection schedules
Maintenance of calorifiers, tanks, showerheads and other components
Water treatment (if applicable)
Monitoring and record-keeping

5. Recommending Actions

Where risks are not adequately controlled, the assessment must recommend specific actions, including:

Engineering controls (removing dead legs, improving insulation, replacing components)
Operational controls (flushing regimes, temperature monitoring, cleaning schedules)
Management controls (appointing a responsible person, training, record-keeping)

The Written Scheme

Following the risk assessment, you must prepare a written scheme (sometimes called a legionella management plan) that sets out:

The measures you will take to prevent or control the risk
Who is responsible for each measure
The frequency of each measure (e.g. monthly temperature checks, quarterly cleaning)
What records will be kept
When the risk assessment will be reviewed

The written scheme is a living document — it must be updated whenever changes are made to the water system, the building or the risk assessment findings.

Monitoring and Ongoing Compliance

Temperature Monitoring

Regular temperature monitoring is a cornerstone of legionella control:

Hot water storage (calorifiers): Check the temperature monthly. It must be stored at 60°C or above
Hot water distribution: Check the temperature at sentinel outlets (nearest and furthest from the calorifier) monthly. It should reach 50°C within one minute of running
Cold water storage: Check the temperature monthly. It must be stored below 20°C
Cold water outlets: Check the temperature at sentinel outlets monthly. It should be below 20°C within two minutes of running

Flushing

Outlets that are not used at least weekly should be flushed for at least two minutes to prevent stagnation. This includes:

Taps and showers in unused offices, meeting rooms or guest rooms
Emergency showers and eyewash stations
Outlets in seasonal or holiday premises
Any outlet not used for 7 days or more

Cleaning and Maintenance

Showerheads: Clean and descale quarterly (more frequently if scale builds up quickly)
Cold water storage tanks: Inspect annually, clean and disinfect as needed
Calorifiers: Inspect and clean annually
Point-of-use filters: Replace according to manufacturer’s instructions
TMVs (thermostatic mixing valves): Service and check annually

Record-Keeping

You must keep records of all monitoring, maintenance and actions taken. Records should include:

Temperature monitoring results (dates, locations, readings)
Flushing records (dates, outlets, duration)
Cleaning and maintenance records (dates, actions, findings)
Risk assessment and written scheme (including all revisions)
Details of any incidents, investigations or remedial actions

Retention period: The HSE recommends keeping legionella records for at least 5 years. Some guidance suggests retaining risk assessments and written schemes for the life of the system, and L8 itself states records should be kept for a period proportionate to the risk — typically interpreted as 2-5 years for monitoring records and indefinitely for risk assessments.

Digital record-keeping systems make this far more manageable than paper-based approaches. A digital checklist system can schedule and track all monitoring activities, ensure nothing is missed and provide a clear audit trail for inspectors.

Seasonal Risks and Building Closures

Legionella risks increase significantly during certain periods:

Summer Months

Rising mains water temperatures may push cold water systems above 20°C
Increased ambient temperatures can affect pipework in ceiling voids and risers
Holiday periods may mean outlets are unused for longer than usual

After Building Closures

Extended building closures (holidays, refurbishments, pandemic restrictions) create conditions that are ideal for legionella growth:

Stagnant water sits in the system for weeks or months
Temperature controls may be compromised (heating turned off, no water flow)
Biofilm and sediment can accumulate

Before reopening a building after an extended closure, you should:

Review the legionella risk assessment
Flush all outlets thoroughly
Check temperatures throughout the system
Clean and disinfect showerheads, taps and other outlets
Consider a full system disinfection if the closure was prolonged
Test water samples if appropriate (particularly in high-risk premises)

Seasonal Premises

Premises that are used seasonally (holiday accommodation, outdoor activity centres, agricultural buildings) require particular attention. The risk assessment and written scheme should include specific provisions for recommissioning the water system at the start of each season.

Enforcement and Penalties

The HSE and local authorities enforce legionella legislation. Enforcement action can include:

Improvement notices: Requiring you to carry out a risk assessment, implement controls or improve your management of the risk within a specified period
Prohibition notices: Stopping the use of a water system that presents a serious risk until the issue is resolved
Prosecution: For serious breaches or where exposure to legionella has occurred

Penalties for non-compliance can be severe. In the Crown Court, fines are unlimited and custodial sentences are possible for the most serious cases. Directors, managers and other officers can be personally liable if they consented to or were negligent about the breach.

In civil cases, employers and building managers have faced substantial compensation claims from individuals who contracted Legionnaires’ disease due to poorly maintained water systems. Cases involving care homes, hotels and leisure facilities have resulted in significant settlements and judgments.

The Competent Person Requirement

L8 requires that you appoint a competent person to help you comply with your legionella duties. The competent person must have sufficient training, knowledge and experience to:

Carry out or commission the risk assessment
Develop the written scheme
Implement and manage the control measures
Monitor the effectiveness of controls

For simple water systems (a small office with straightforward hot and cold water), the competent person could be an internal manager who has received appropriate training. For complex systems (large buildings, cooling towers, healthcare premises), you will likely need to appoint an external specialist — typically a water hygiene consultant or a legionella risk assessment company.

Whoever you appoint, the legal responsibility remains with the employer or dutyholder. You cannot delegate your legal duties by outsourcing legionella management. You must ensure that the competent person is genuinely competent and that their recommendations are being implemented.

Connecting Legionella to Your Wider Compliance Framework

Legionella risk assessment is one part of your overall health and safety management system. It connects to several other compliance areas:

COSHH assessments: Legionella is a biological hazard under COSHH. Your legionella risk assessment may form part of your broader COSHH assessment programme
General risk assessments: Legionella risks should be referenced in your general workplace risk assessments and included in your health and safety management plan
Incident reporting: Cases of Legionnaires’ disease are reportable under RIDDOR as a reportable occupational disease
Building maintenance: Legionella controls overlap with general building maintenance schedules. Integrating them into a single system reduces the risk of things being missed

Take Control of Your Legionella Compliance

Legionella risk management does not have to be onerous. For most workplaces, the measures required are straightforward — regular temperature monitoring, flushing of unused outlets, routine cleaning and good record-keeping. The key is having a structured approach that ensures nothing falls through the cracks.

Start with a competent risk assessment, develop a written scheme that sets out your controls, and use systematic monitoring to ensure those controls are working. Our Risk Assessments feature provides a structured framework for managing legionella alongside your other workplace risks, while our Digital Checklists feature ensures that monitoring tasks are scheduled, completed and recorded — giving you a clear audit trail and peace of mind.