AS/NZS 3666 Cooling Tower Compliance: What Data Centre Operators Must Know

Chilled water systems are the backbone of cooling in many larger data centres. Where a CRAH unit connects to a chilled water loop, that loop typically rejects heat through a cooling tower on the roof or plant deck. That cooling tower is a regulated device under Australian law, and the regulatory framework is AS/NZS 3666.

Many data centre operators treat cooling tower compliance as a facilities management afterthought. It is not. Non-compliance carries financial penalties, potential criminal liability, and the very real possibility of a Legionella outbreak that shuts down your facility and ends up in the news.

This post covers what AS/NZS 3666 requires, how it applies to data centre environments specifically, and what happens when operators fall short.

Why Cooling Towers and Legionella Are Linked

Cooling towers work by evaporating a fraction of the circulating water to transfer heat to the atmosphere. That process creates warm, aerosolised water droplets at temperatures between 20°C and 45°C, which is the optimal growth range for *Legionella pneumophila*. Drift from a cooling tower can travel hundreds of metres downwind. If that drift contains viable *Legionella* at sufficient concentration, inhalation can cause Legionnaires' disease, a severe pneumonia with a case fatality rate of around 10% in community outbreaks.

Data centres run cooling towers continuously, often year-round, at high load. The combination of constant operation, warm water temperatures, and potential for nutrient accumulation in the water circuit makes them a higher-risk category than intermittently operated systems.

The Standard: AS/NZS 3666 and Its Three Parts

AS/NZS 3666 covers air-handling and water systems in buildings with respect to microbial control. The three parts relevant to cooling towers are:

• Part 1: Design, installation, and commissioning
• Part 2: Operation and maintenance
• Part 3: Performance-based maintenance of cooling water systems (the audit and risk management framework)

Part 2 is the day-to-day compliance document. Part 3 is the performance-based pathway that allows operators to demonstrate compliance through documented risk management rather than purely prescriptive schedules. Most jurisdictions reference both.

State and territory public health legislation gives AS/NZS 3666 its legal teeth. In Queensland, the *Public Health Act 2005* and the *Public Health (Cooling Tower Water Management) Standard 2019* apply. In New South Wales, the *Public Health Act 2010* and *Public Health Regulation 2022* govern cooling towers. Victoria operates under the *Public Health and Wellbeing Act 2008* and associated regulations. The specific instruments differ, but the underlying technical requirements trace back to AS/NZS 3666.

Registration: The Starting Point

Every cooling tower in Australia must be registered with the relevant state health authority before it operates. In Queensland, registration is with Queensland Health. In New South Wales, it is with the local Public Health Unit. In Victoria, registration is with the local council.

Registration requires identifying the system owner, the site address, the number of cooling towers, and the appointed water treatment contractor. Changes to any of these details must be notified. A cooling tower that operates without current registration is operating illegally, regardless of how well it is maintained.

For data centre operators who have recently expanded their chilled water plant, added a second cooling tower, or changed building ownership, registration status is worth verifying immediately. Acquired facilities sometimes carry registration gaps that the previous operator never resolved.

The Risk Management Plan

AS/NZS 3666.3 requires a documented Risk Management Plan (RMP) for each cooling tower system. The RMP must be site-specific. A generic template that has not been adapted to your actual plant is not compliant.

The RMP must cover:

• A description of the cooling tower system, including pipework, basin, fill media, drift eliminators, and associated heat exchangers
• Identification of hazards and risk factors specific to the site
• Control measures for each identified hazard
• Monitoring and testing schedules
• Corrective action procedures when parameters fall outside limits
• Responsibilities assigned to named roles or contractors
• Records management procedures

For data centres, the RMP should account for the fact that the cooling tower may serve multiple CRAH or chiller units, that partial load operation during cooler months can reduce water temperatures and alter biocide efficacy, and that any planned maintenance shutdowns create restart risk if the system has been stagnant.

The RMP must be reviewed whenever there is a change to the system, a Legionella detection event, or at minimum annually.

Water Treatment: What the Standard Requires

Effective water treatment is the primary control measure against *Legionella* growth. AS/NZS 3666.2 specifies that cooling tower water must be treated to maintain:

• A biocide programme that controls microbial growth, including *Legionella*
• Corrosion and scale inhibition to prevent biofilm formation on surfaces
• pH between 7.0 and 8.0 in most treatment programmes
• Conductivity managed through bleed-off to prevent excessive dissolved solids concentration

The choice of biocide matters. Oxidising biocides such as chlorine or bromine are commonly used, but efficacy depends on pH, temperature, and organic load. Non-oxidising biocides are typically used in rotation to prevent resistance. Your water treatment contractor should be providing a programme that specifies dosing rates, frequencies, and the rationale for the chemistry chosen.

For data centres with variable cooling load, the water treatment programme needs to account for changes in bleed-off rate and residence time. A programme calibrated for summer peak load may be inadequate during a mild winter when the tower is running at 30% capacity with reduced water turnover.

Monthly Testing Requirements

AS/NZS 3666.2 and state health regulations require monthly microbiological testing of cooling tower water. The required tests are:

• Heterotrophic Colony Count (HCC): Target less than 1,000 CFU/mL; action level at 10,000 CFU/mL or above
• *Legionella* culture: Target not detected; action required at 10 CFU/mL or above in most jurisdictions

In Queensland and New South Wales, *Legionella* detection above the action level triggers mandatory notification to the health authority within 24 hours, followed by immediate remediation. The remediation protocol typically involves hyperchlorination or thermal disinfection, increased testing frequency, and a report to the regulator.

Samples must be taken by a competent person and analysed by a NATA-accredited laboratory. Results must be recorded and retained. In most jurisdictions, records must be kept for at least five years and made available to health inspectors on request.

Monthly chemical testing, including pH, conductivity, biocide residual, and inhibitor levels, should also be performed, typically by the water treatment contractor on each service visit.

Annual Audits

AS/NZS 3666.3 requires an annual performance audit of each cooling tower system. The audit must be conducted by a person with demonstrated competency in cooling water system risk management, typically an independent auditor or a qualified water treatment specialist who was not responsible for the routine maintenance of the system.

The annual audit covers:

• Review of the RMP for currency and site-specificity
• Inspection of the physical condition of the tower, including basin, fill, drift eliminators, and distribution system
• Review of all water treatment and microbiological records from the preceding 12 months
• Assessment of whether control measures have been implemented as specified
• Identification of any gaps and corrective actions required

The audit report must be documented and retained. Corrective actions identified in the audit must be addressed within defined timeframes. An audit that identifies deficiencies and sees no corrective action taken is worse than no audit, because it documents that the operator knew about the problem and did nothing.

Penalties for Non-Compliance

Penalties vary by jurisdiction, but they are substantial.

In New South Wales, failure to register a cooling tower or failure to comply with the Public Health Regulation can attract fines of up to $5,500 for individuals and $27,500 for corporations per offence. Where a *Legionella* outbreak is linked to a non-compliant system, the penalties under the Public Health Act are considerably higher, and the operator may face civil liability for damages.

In Queensland, penalties under the Public Health Act 2005 can reach 200 penalty units for individuals and 1,000 penalty units for corporations. At the current Queensland penalty unit rate, that is $27,100 for an individual and $135,500 for a corporation, per offence.

In Victoria, the Public Health and Wellbeing Act provides for substantial fines and, in cases of gross negligence linked to an outbreak, potential imprisonment.

Beyond the statutory penalties, the reputational and operational consequences of a Legionella event at a data centre are severe. A confirmed outbreak requires immediate system shutdown for disinfection, notification to all potentially exposed persons, and cooperation with a public health investigation. For a facility with uptime commitments to clients, the downstream costs of a cooling system shutdown dwarf any savings made by cutting corners on water treatment or testing.

Practical Steps for Data Centre Operators

If you operate a chilled water system with a cooling tower, the following checks are worth completing now:

• Confirm registration is current with the relevant state authority and that all towers on site are included
• Locate and review the current RMP; confirm it has been updated within the last 12 months and reflects the actual plant configuration
• Verify that monthly microbiological testing is being performed by a NATA-accredited laboratory and that results are being reviewed and actioned
• Confirm the annual audit is scheduled and that the previous audit's corrective actions have been closed out
• Check that your water treatment contractor's programme is documented, site-specific, and reviewed when operating conditions change

At CRAC Services Australia, our work on chilled water systems for data centres regularly intersects with cooling tower compliance. We can identify where your cooling plant configuration creates specific risk factors and where your maintenance programme may have gaps. Visit [https://crac.services](https://crac.services) to discuss your site's requirements.