How I Use the Legionella Control Template with Customers in Pilla

I'm Liam Jones, NEBOSH-qualified health and safety consultant and founder of Pilla. This is how I approach legionella control policies in a health and safety management system, based on close to twenty years in frontline operations and advising hundreds of businesses on compliance. You can email me directly; I read every email.

Legionella is the policy that sits in the bottom drawer until someone gets ill. I've audited buildings where the risk assessment was five years old, the responsible person had left the company two years ago, and nobody could tell me when the last temperature check was done. The water system hadn't changed. The bacteria hadn't waited.

Most businesses know legionella is a legal requirement. Fewer know what that actually means in practice: who's responsible, what monitoring looks like week to week, and what happens when an HSE inspector asks to see your records. That's what this article covers. I'll walk you through the legal framework, give you a template you can edit for your own operation, and flag the gaps I see most often when reviewing legionella management systems.

Key Takeaways

  • What is legionella control in health and safety? Legionella control is the system of risk assessment, water management, monitoring, and record-keeping that prevents legionella bacteria from growing in water systems and exposing people to Legionnaires' disease, a serious and sometimes fatal form of pneumonia
  • Why do you need a legionella control policy? The Approved Code of Practice L8, supported by COSHH 2002 and the Health and Safety at Work etc Act 1974, requires employers to assess and control legionella risks in their water systems. An HSE inspector will ask to see your risk assessment, your water management plan, and evidence that controls are actually being carried out
  • How do you set it up in Pilla? Use the knowledge hub template below, edit it to match your operation, and share it with your team through the app so everyone has access and you can track who's read it
  • How do you automate the follow-up? Set up Poppi to chase staff who haven't acknowledged the policy and flag when it's due for review

Article Content

Understanding What's Required of You

Legionella bacteria grow in water systems. When people breathe in contaminated water droplets from showers, cooling towers, or hot tubs, they can develop Legionnaires' disease. It's a severe form of pneumonia, and it kills. The HSE reports dozens of deaths a year in the UK, and those are just the confirmed cases.

Under health and safety law, legionella bacteria are classified as substances hazardous to health. That pulls in several pieces of legislation at once. The Health and Safety at Work etc Act 1974 creates the general duty to protect employees and others. The Management of Health and Safety at Work Regulations 1999 require you to assess workplace hazards, legionella included. COSHH 2002 specifically covers micro-organisms like legionella as hazardous substances. And then there's the Approved Code of Practice L8, which is the document that matters most. L8 tells you exactly how to identify and manage legionella risks, and it carries special legal weight: if you're prosecuted and you haven't followed L8, the burden is on you to show your approach was equally effective.

HSG274, published in three parts, sits underneath L8 and gives the technical detail. Part 1 covers evaporative cooling systems. Part 2 covers hot and cold water systems, which is the one most businesses need. Part 3 covers other risk systems.

The practical requirements are straightforward, even if the regulatory framework looks complicated. You need a suitable and sufficient risk assessment of your water systems. You need a water management system based on the findings. You need someone appointed as the responsible person to oversee the whole thing. And you need monitoring, records, and regular review to prove it's actually working. An HSE inspector won't just ask whether you have a legionella policy. They'll ask to see the risk assessment, the management plan, the temperature records, and evidence that someone competent is overseeing it all.

I've walked into buildings where the legionella risk assessment was done when the lease was signed and never looked at again. The water system had been modified twice since then. Dead legs had been created where pipework was capped off. Nobody was flushing infrequently used outlets. On paper, the duty was met. In practice, the controls had drifted so far from reality that they were meaningless.

Setting It Up as a Knowledge Hub Entry

I've built a legionella control template in Pilla covering organisational duties, risk assessment requirements, responsible person appointments, water management systems, procedures, training, monitoring, and review. It gives you a structured starting point, but you need to edit it to reflect your actual water systems and management arrangements.

In the knowledge hub, create a new entry and tag it with "Health and Safety System". Use the same tag across all of your health and safety policies so they are grouped together and Poppi can track them as a set. Assign the entry to all teams so that everyone in the business can access it.

The template is designed to be edited, not just filed. Read through every section. Where it says "Company Name", replace it with your business name. Where it refers to responsible persons, name them. Where it describes duties, check they match what actually happens in your building. If your operation doesn't have evaporative cooling systems, you can note that Parts 1 and 3 of HSG274 don't apply. If you manage multiple buildings, each one needs its own risk assessment and management plan.

Knowledge Hub Template·Legionella Control

15. ​Legionella

Approved Code of Practice L8 – Legionnaires' Disease – the control of legionella bacteria in water systems

The Health and Safety at Work etc. Act 1974

Management of Health & Safety at Work Regulations 1999

C.O.S.H.H 2002

The Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, specifically Regulation 12(2)(h) and Regulation 15 of the Act

HSG274 Part 1 - The control of legionella bacteria in evaporative cooling systems

HSG274 Part 2 - The control of legionella bacteria in hot and cold-water systems

HSG274 Part 3 - The control of legionella bacteria in other risk systems

Company Name have a duty to ensure the health and safety at work of their employees and to ensure that the health and safety of other people is not affected by their work activities. They also have duties to prevent or reduce exposure to substances hazardous to health and to assess the risks to health from their use. Micro-organisms such as legionella are defined as substances hazardous to health. Company Name have a duty to comply with and manage in line with any legionella management system implemented in the buildings they have been instructed to manage.

We do this by:

Responsible Persons to identify whether there is a suitable and sufficient risk assessment of the water system to identify the risk associated with legionella.

Responsible Persons to arrange legionella risk assessment and implement a water management system based on the significant findings from the risk assessment.

Responsible Persons to review existing legionella management system in place or identify whether a risk assessment with recommendations which has been undertaken.

Review documentation to ensure existing control measures meet the standards set-out in the recommended actions section of the assessment or management system.

Plan so existing controls are facilitated by Company Name.

Responsible Persons to manage this process and to develop and implement procedures, Safe Working Practices, and control measures.

Where we know responsibility for facilitation of work is the responsibility of the Company Name, making sure that our workforce is fully trained, aware and that the work activity is arranged so the risk is managed.

Employees and others adhering to the contents of procedures, control measures and Safe Working Practices.

Monitoring and reviewing our systems; the protocols in place are adequate to sufficiently manage the risks from legionella.

This is a preview of the template. In Pilla, you can edit this to match your business.

What I'd want to see when reviewing this:

The responsible person appointment is the section I check first. Someone specific needs to own legionella control, and that person needs to know they own it. I've reviewed management systems where the responsible person was listed as "the facilities manager" but the actual facilities manager had no idea the duty sat with them. Name the person. Make sure they've accepted the responsibility and have the training to carry it out.

The risk assessment section matters because everything else flows from it. The template sets out the requirement to identify whether a suitable and sufficient assessment exists, and to arrange one if it doesn't. What I'd want to see in practice is the date of your last assessment, the name of the assessor, and evidence that the recommendations were acted on. A risk assessment that sits in a folder with unaddressed recommendations is worse than no assessment at all, because it proves you knew about the risks and did nothing.

The monitoring and review section closes the loop. Controls need checking. Records need keeping. Systems need reviewing when things change. I'd want to see a clear schedule: who checks what, how often, and what happens when a reading is out of range.

Common mistakes I see:

The most common mistake is treating the risk assessment as a one-off exercise. I've seen assessments from 2018 still cited as current in buildings where the water system has been modified three times since. L8 is clear: assessments must be reviewed periodically and after significant changes. If you've added outlets, changed the system layout, or modified temperature controls, your assessment needs updating.

The second mistake is appointing a responsible person on paper but not giving them the time, training, or authority to do the job. Legionella control involves arranging assessments, implementing management systems, reviewing documentation, and chasing contractors. If the responsible person is also running the building day to day with no dedicated time for water safety, the monitoring slips within weeks.

The third mistake is poor record-keeping. Temperature checks happen, but the records are patchy. Out-of-range readings get recorded without any corrective action noted alongside them. An HSE inspector doesn't just want to see that you're monitoring. They want to see that when monitoring found a problem, you did something about it and recorded what you did.

Automate the Follow-Up with Poppi

Writing the policy is one thing. Making sure your team has actually read it is another. Poppi can handle the chasing so you don't have to.

If you mark the knowledge hub entry as mandatory, Poppi will track who's read it and who hasn't. You can set up automations to chase staff who are behind, notify managers when someone completes the policy, and get a regular report showing where the gaps are.

Here are three automations I'd set up for any knowledge hub policy:

Overdue training reminders

Automatically chase team members who have mandatory policies they haven't read yet. Poppi sends the reminder so you don't have to.

Poppi
Poppi

Tom, you have 2 overdue policies to read and acknowledge

Video completion alerts

Get notified when a team member finishes reading or watching a policy, so you can track progress without chasing.

Poppi
Poppi

Emma has completed a mandatory policy

Training gap analysis

Get a regular AI report showing which team members are behind on mandatory policies and where the gaps are across your team.

Poppi
Poppi

Training Report: 87% team completion. Tom and Sarah behind on 2 mandatory policies, due 3 days ago.