The ACoP L8 compliance checklist

Written by the BlueWave team · Published 9 June 2026

General information, not legal or regulatory advice — your duties need your own competent advice.

ACoP L8 is the document your Legionella compliance answers to. This is the checklist version: what it expects you to have, in the order an auditor will ask for it — and the failure patterns that catch well-run contractors out.

What L8 actually is

L8 — Legionnaires' disease: the control of legionella bacteria in water systems, fourth edition — is the Health and Safety Executive's approved code of practice. It isn't a statute, but it carries special legal status: depart from it, and in any prosecution you must prove you achieved compliance some other, equally effective way. Courts are not generous about that proof. The working assumption for every duty-holder: L8 is the floor.

The technical detail underneath it lives in HSG274 — monitoring regimes, temperatures, frequencies. We've mapped how the whole landscape fits together on our compliance hub.

Who carries the duties

The duty-holder is whoever controls the premises or the risk — the employer or building controller. They appoint a responsible person: someone with the authority, competence and knowledge to make sure the control scheme actually runs. Most duty-holders also engage competent help — a water-treatment contractor, a consultant. That help can do the work; it cannot absorb the duty. The duty stays in the building, which is why "our contractor handles all that" is the opening line of so many enforcement case studies.

The checklist

Six items. An auditor will want evidence of each, not assurances.

  1. A current Legionella risk assessment. Carried out competently (BS 8580-1 is the methodology standard), covering every water system on site, with significant findings recorded. Current means reviewed against triggers — not laminated in 2022 and admired since.
  2. A written scheme of control for every system at risk. What the system is, how it's controlled, what monitoring happens, what to do when results go out of range. If the people doing the monitoring have never read it, it exists but it doesn't function.
  3. Named responsibilities. The responsible person appointed in writing, trained, and holding real authority. Deputies for when they're away — Legionella doesn't take leave.
  4. Monitoring running to the HSG274 regime. Sentinel temperatures, flushing of little-used outlets, calorifier checks, cooling-tower regimes where they apply — at the frequencies the guidance sets, without gaps in holiday weeks. Gaps in the record read as gaps in the control.
  5. Records you can produce, kept long enough. What was done, by whom, with what result — retained at least five years for monitoring records, and the assessment and scheme kept while current plus two years after. The real test is speed of production: an audit isn't a request for archaeology.
  6. Review triggers wired in. System modified? Use changed? Positive result? Control failure? Each should force a review of the assessment and scheme — automatically prompted, not dependent on someone remembering the rule.

Where audits actually fail

Rarely on the big items — almost nobody has no risk assessment. The failures are operational:

  • The assessment exists but nothing logs why it's still valid — no review trail since the system was modified.
  • The written scheme is a binder nobody on site has opened; the monitoring team works from habit, and the two have drifted apart.
  • The records exist — somewhere across a shared drive, a forms app and a filing cabinet — but producing March 2023's disinfection certificate takes three people and a morning.
  • The monitoring regime has holiday-shaped holes: the week the regular engineer was away simply isn't in the record.
  • Remedial actions were raised and even done — but closure was never evidenced, so on paper the defect is still open.

Every one of those is a systems failure, not a people failure — which is the practical argument for running the programme on a platform where records file themselves and the regime is the schedule, rather than on discipline.

Questions this guide gets asked

Is ACoP L8 legally binding?
Not in the way a statute is — and that distinction won't save you. L8 is an approved code of practice with special legal status: if you're prosecuted under the Health and Safety at Work Act and you didn't follow it, the court treats you as in breach unless you can prove you complied in some other, equally effective way. In practice, following L8 is the only sensible reading.
How often must the risk assessment be reviewed?
L8 doesn't set a fixed interval — the two-year rule you've heard is convention, not code. What it requires is review when there's reason to suspect the assessment is no longer valid: the system changed, its use changed, monitoring threw up problems, a positive result landed, or control measures proved ineffective. A sensible regime does both: scheduled reviews plus wired-in triggers.
How long do we keep the records?
Monitoring and inspection records: at least five years. The risk assessment and written scheme: for as long as they're current, plus two years after they're replaced. The LCA's expectations for service providers point the same five-year direction. The practical test isn't retention, though — it's whether you can produce the right record while an auditor waits.
Who can be the responsible person?
Someone with enough authority, competence and knowledge of the installation to ensure the controls actually happen — a manager with real standing, not a name on an org chart. You can buy in competent help (most duty-holders do), but the duty itself stays in the building. Appointing a contractor doesn't transfer it.

The checklist, running itself

Everything above — the records, the regime, the triggers, the five-year trail — is what BlueWave does by default. See it against your own sites.