CDM 2015 compliance software for principal contractors: what it needs to do

What CDM 2015 actually requires from the principal contractor

The Construction (Design and Management) Regulations 2015 impose specific, non-delegable duties on the principal contractor. These are not aspirational standards - they are legal requirements with criminal penalties for breach. Understanding them precisely is the starting point for evaluating whether any software actually helps you discharge them.

Regulations 12 to 14 set out the PC's core duties. The seven you need to evidence on inspection are:

1. Construction Phase Plan (Reg 12): The PC must draw up and keep under review a Construction Phase Plan that sets out the arrangements for managing the construction phase. It must be specific to the site and must be updated as the project develops. A generic template that has not been reviewed since mobilisation does not meet this requirement.
2. Organised, managed, and monitored construction phase (Reg 13(1)): The PC must plan, manage, monitor, and coordinate the entire construction phase so that, so far as is reasonably practicable, it is carried out without risks to health or safety. Monitoring means active ongoing oversight - not a one-off CPP at project start.
3. Compliance with Part 4 (Reg 13(2)): The PC must ensure the general site safety requirements under Part 4 of CDM 2015 are complied with throughout the construction phase. This covers safe places of work, emergency procedures, welfare, and site perimeter security.
4. Prevent unauthorised access (Reg 13(3)): The PC must take reasonable steps to prevent access to the site by unauthorised persons. This directly requires a functioning site access control system with records of who is on site at any time.
5. Site induction before starting work (Reg 14(a)): Every worker must receive a suitable site induction before they begin work. This is one of the most frequently cited CDM failures in HSE enforcement action. The induction must be site-specific, not a generic company induction.
6. Appropriate information and training (Reg 14(b)): Workers must receive the information and training necessary for the work to be carried out safely - including briefings on RAMS before they begin the relevant activity.
7. Consult and engage with workers (Reg 14(c)): The PC must consult workers about matters that may affect their health, safety, or welfare. Records of toolbox talks, briefings, and worker consultations support this duty.

See our full CDM 2015 guide for contractors for the complete regulatory picture including client and principal designer duties.

The 5 records HSE expects to see instantly during an inspection

When an HSE inspector arrives on a construction site, they ask for documents. They expect them immediately - not retrieved from head office, not emailed over, not found in a filing cabinet in the site office. Immediately. The inability to produce a record is treated as evidence that it either does not exist or has not been maintained.

See our companion guide on HSE site inspections for the full inspection process. The five CDM-specific records they reach for first are:

1. Site induction records: Every person currently on site must have a completed induction record. The inspector will cross-reference this against the live site register. A worker on site with no induction record is an immediate enforcement trigger. The record must show the date, what was covered, and who delivered the induction.
2. The Construction Phase Plan: Current, reviewed, and site-specific. Inspectors read it. A CPP that refers to activities not yet started or that has clearly not been updated for months signals it is a compliance document rather than a working plan.
3. RAMS briefing evidence: Not just the RAMS documents themselves, but proof that workers were briefed on them before starting the relevant activity. Named sign-off records, with dates. An inspector who sees RAMS but no briefing evidence has found a gap.
4. CSCS card or competency verification: Evidence that each worker on site holds the appropriate card or has equivalent verified competency. Inspectors check cards on the walk-round and cross-reference against records. Cards that have expired, or card types that do not match the occupation, are enforcement risks.
5. Incident and near miss log: An active log that reflects the reality of site activity. A busy site with no near miss entries signals a safety culture problem, not a safe site. The log should show recent entries across the project duration.

You can read more about the full set of CDM records the PC must maintain in our guide to CDM 2015 site records.

Why spreadsheets fail CDM compliance

Most principal contractors running fewer than five sites manage their CDM records on spreadsheets, shared drives, or paper. This is understandable - it is how the industry has always worked. It is also the reason CDM compliance remains one of the most common grounds for HSE enforcement action against mid-tier contractors.

Spreadsheets fail CDM compliance in four specific ways that software solves:

You cannot prove a record existed at the time of work

This is the critical failure. When an HSE investigation follows an incident, the question is not whether you have a record now - it is whether the record existed and was in use at the time the work was carried out. A spreadsheet or Word document can be created or modified at any point. A timestamped, audit-trailed digital record with a cryptographic creation date cannot. In enforcement proceedings, the inability to prove contemporaneous record-keeping is treated as absence of record.

Version control does not exist

Spreadsheets shared via email or even cloud storage routinely have multiple versions in circulation. The RAMS that workers were actually briefed on may not be the current version. The induction checklist used last month may have been updated without the site manager knowing. An inspector comparing the version in your records against the version workers describe receiving will find inconsistencies you cannot explain.

Records are not accessible on site

An inspector arrives unannounced. The site manager needs to produce induction records for 47 workers in the next five minutes. If those records are in a spreadsheet on a laptop that is at head office, or in a shared drive accessible only via VPN, you have failed. CDM compliance requires records to be immediately accessible at the point of inspection, which means a cloud-based system accessible from a phone.

There is no real-time site register

Reg 13(3) requires the PC to prevent unauthorised access. That implies knowing, at any moment, who is authorised to be on site and whether they are actually there. A paper sign-in sheet or an end-of-day spreadsheet update is not a real-time register. An inspector asking "who is on site right now?" should receive an immediate digital answer, not a manual count.

What CDM compliance software must actually do

Software vendors in this space use terms like "digital compliance" and "workforce management" interchangeably. Here is a practical checklist of what CDM-specific software must do, beyond the marketing claims, for it to genuinely discharge a principal contractor's duties:

• Real-time site register: Clock-in and clock-out with a live dashboard showing who is physically on site at any moment. Accessible from a phone. Exportable for HSE within seconds, not minutes.
• Digital site inductions with audit trail: Workers complete a site-specific induction before starting work. The system records a timestamp, the worker's identity, the content covered, and the person or system that delivered the induction. The record is immutable after completion.
• CSCS verification with evidence: Not just recording card numbers. The system must capture photographic evidence of the card, verify the card type matches the worker's occupation, and alert when cards are approaching expiry. Expired card alerts must reach the site manager before the worker arrives, not after.
• RAMS sign-off records: A digital workflow where workers acknowledge RAMS specific to their activity before starting work. Named, dated, immutable records. Queryable by RAMS document, by worker, and by date.
• Supply chain visibility: The PC cannot manage CDM compliance only for their own directly employed workforce. Subcontractor workers must be inducted, competency-verified, and RAMS-briefed to the same standard. The software must handle supply chain workers, not just the PC's own employees.
• Incident and near miss log: A structured log with categories, severity, location, and follow-up actions. Not a text field in a shared document.
• Instant export for HSE: When an inspector arrives, you should be able to produce a full compliance pack - site register, inductions, CSCS records, RAMS sign-offs - in under two minutes from a phone. If the export takes longer than that, the system is not fit for an inspection scenario.

Features not on this list - project management, procurement, financial reporting - are useful but do not address the specific CDM compliance gap that causes enforcement action. Evaluate software on the list above first.

How AttendIQ addresses each CDM obligation specifically

AttendIQ is built for UK principal contractors. Each feature maps directly to a regulation:

Reg 12 - Construction Phase Plan: AttendIQ's digital forms module stores your CPP with full version history and a revision log. Every update is timestamped and attributed. An inspector asking for the current CPP gets the live version with a full edit history - not a file that could have been backdated.

Reg 13(1) - Plan, manage, monitor: The dashboard gives contracts managers a real-time view of compliance status across all sites: inducted workers, CSCS expiry alerts, outstanding RAMS sign-offs, and open incidents. Monitoring is continuous, not periodic.

Reg 13(3) - Prevent unauthorised access: AttendIQ's site register records every clock-in with timestamp, worker identity, and site. Workers who have not completed the site induction cannot check in. Unauthorised access is prevented at the gate, not discovered retrospectively.

Reg 14(a) - Site induction before starting work: Digital inductions can include video, documents, and knowledge checks. Workers complete the induction on their phone before they arrive on site. The system records completion with a timestamp and blocks gate access until induction is complete. The audit trail is immutable.

Reg 14(b) - Information and training: RAMS are uploaded to AttendIQ and distributed to workers digitally via the digital forms workflow. Workers sign off on each document before beginning the relevant activity. The sign-off record is named, dated, and linked to the specific RAMS version. You can show an inspector exactly which workers were briefed on today's RAMS.

Reg 14(c) - Consult and engage: Toolbox talk records and worker acknowledgements are captured through the same digital workflow. You have an auditable record of every worker consultation across the project duration.

The full compliance export takes under two minutes from a phone. It covers inductions, CSCS records, RAMS sign-offs, and the site register in a single PDF ready for an HSE inspector. From sign-up to audit-ready: same day.

The supply chain challenge: Reg 13 and subcontractor workers

This is the duty most principal contractors get wrong. Reg 13 requires the PC to ensure the construction phase is managed so that all workers - including those employed by subcontractors and their sub-tiers - carry out their work without risks to health or safety. The PC cannot outsource this obligation to the subcontractor company and consider it discharged.

In practice, this means a principal contractor with ten subcontractors on site needs to know, at any moment: which SC workers have completed the site induction, which have a valid and appropriate CSCS card, which have been briefed on the RAMS relevant to their activity today, and which have not. On a spreadsheet, this is impossible in real time. In most PC site offices, it is not tracked at all below the subcontractor company level.

HSE enforcement action following incidents involving subcontractor workers routinely cites the PC's failure to ensure those workers were properly inducted and competency-verified. The SC company's own failures do not reduce the PC's liability - the PC is the duty holder for the construction phase.

AttendIQ's supply chain portal addresses this directly. Subcontractor companies are invited onto AttendIQ for free. Their workers complete the PC's site-specific induction before they arrive on site. The PC sees a live dashboard of which SC workers are inducted, which have verified CSCS cards, and which are cleared for gate access. When an SC worker clocks in, the system verifies their induction status automatically - an uninducted SC worker cannot enter.

The SC company pays nothing. The PC gains full visibility of their supply chain compliance without adding administrative overhead to the subcontractor relationship.

The cost of getting it wrong

CDM compliance failures are expensive in ways that go beyond the fine itself.

Fee for Intervention (FFI) charges begin the moment an HSE inspector identifies a material breach. The current FFI rate is £172 per hour. An investigation lasting 20 hours generates £3,440 in charges before any notice has been issued. Improvement notices, prohibition notices, and the management time required to respond to each of them add further costs that are impossible to quantify in advance.

Prosecution follows serious failures. The average HSE fine for a construction CDM-related prosecution in 2024 exceeded £107,000. In 2024/25, HSE collected £33 million in fines across all sectors with a 96% conviction rate. Construction accounts for a disproportionate share of that total. Court costs are awarded in addition to fines, and the Sentencing Council guidelines tie fine levels to annual turnover - a regional contractor turning over £20 million is exposed to fines in the hundreds of thousands for a serious breach.

There are also the indirect costs: work stopped by a prohibition notice triggering liquidated damages under the main contract, PQQ disqualification when clients find enforcement notices on HSE's public register, and the reputational damage that follows a prosecution covered in the trade press.

AttendIQ at 100 workers on the Complete plan costs £7,800 per year. One average HSE prosecution fine is £107,000. That is 13 years of AttendIQ for the price of a single fine - before you count FFI charges, legal costs, and the project costs of a site shutdown.

The question for a contracts manager or SHEQ director evaluating software is not whether £7,800 is affordable. It is whether the current system - spreadsheets, paper sign-in sheets, and emailed RAMS - would survive an HSE inspection today. If the honest answer is no, the risk premium of not changing is already larger than the cost of the software.