
The Construction (Design and Management) Regulations 2015 place specific duties on the principal contractor — and a properly specified turnstile access control system is the cleanest way to evidence three of them at once. Unauthorised access prevention, suitable site induction, and an auditable record of who was on site when. None of these duties is satisfied by the turnstile on its own. But none of them is easily satisfied without one either.
Veritech designs, installs, integrates and monitors construction site access control across the UK, working with principal contractors who need to evidence CDM 2015 compliance to HSE inspectors, insurers and clients. This article maps each relevant Regulation 13 duty to the access-control evidence that satisfies it, and covers what HSE actually looks for in an inspection.
The Construction (Design and Management) Regulations 2015 came into force on 6 April 2015, replacing CDM 2007. They are the principal piece of UK legislation governing the management of health and safety on construction projects.
The Regulations apply to every UK construction project — there is no minimum size threshold. They place duties on five categories of duty holder: clients, principal designers, designers, principal contractors and contractors. HSE’s primary guidance document is L153 Managing health and safety in construction, the official guidance on the Regulations, supported by INDG411 for clients on smaller projects.
For sites with more than one contractor, the client must appoint a principal contractor in writing. The principal contractor is in overall control of the construction phase and carries the most significant set of CDM duties — set out in Regulation 13.
Regulation 13 of CDM 2015 sets out the principal contractor’s construction-phase duties. Three sub-duties under Regulation 13(4) are directly relevant to access control. They read, verbatim from the legislation:
The principal contractor must ensure that—
(Schedule 2 covers welfare facilities — toilets, washing, changing, drinking water, rest facilities — and sits outside the scope of this article.)
Two of the three sub-duties under Regulation 13(4) are directly evidenced by a well-deployed turnstile access control system: induction and unauthorised-access prevention.
Beyond Regulation 13(4), Regulation 13(1) requires the principal contractor to “plan, manage and monitor the construction phase”. The audit trail produced by access control is part of how that planning, management and monitoring is evidenced.
Regulation 13(4)(b) is the duty most directly answered by turnstile access control. The legislative wording is “the necessary steps are taken to prevent access by unauthorised persons to the construction site”. HSE’s guidance, in plain English, frames the standard as “reasonable steps” — and on a populated-area construction site, the HSE public protection page explicitly references a two-metre hoarding with a controlled entry point as the standard public-protection measure.
A turnstile sits inside that perimeter as the controlled entry point. What it specifically evidences:
The site boundary is secure with suitable barriers and controls. The turnstile completes the hoarded perimeter at the pedestrian entrance, removing the obvious gap. The turnstile and the hoarding are not alternative measures; they are complementary, and HSE inspectors look for both.
Reasonable steps to prevent unauthorised access have been taken. A turnstile that locks until a valid credential is presented is, on its face, a reasonable step. Combined with credential management (issued during induction, revoked when the worker leaves the project), an audit log and integration with CSCS Smart Check for card validity verification, it is a robust step.
The rights of way, adjacent land use and vulnerable people have been considered. HSE guidance to principal contractors specifically calls out these factors. The turnstile and the wider perimeter design (positioning, signage, lighting, hours of operation) should reflect them. On urban sites the boundary will need to balance security with pedestrian access to the public realm; on sites near schools, hospitals or housing the access controls will be more demanding still.
What the turnstile does not do on its own: it doesn’t satisfy 13(4)(b) without a competent gateman position, induction discipline, credential management, and out-of-hours coverage. For most UK construction sites that means pairing the turnstile with manned guarding or 24/7 remote monitoring as a layered approach.
Regulation 13(4)(a) requires the principal contractor to ensure that “a suitable site induction is provided”. HSE guidance and the L153 framework expand this — the induction must be site-specific, must cover the relevant risks and control measures, and must be tailored to the worker’s role.
Access control integrates with the induction process in three ways:
Pre-arrival induction. Most modern UK construction sites run induction online. The worker completes the module, takes a knowledge check, and uploads their credentials before arrival. The access control system holds an “induction status” flag against the worker’s record. If they arrive at the gate without completing induction, the turnstile stays locked. This removes the awkward conversation about who has and hasn’t been inducted — it is enforced at the rotor.
First-day enrolment as the final induction step. On day one the worker presents at the site office, completes any site-specific induction elements, and enrols their biometric or RFID credential. The access control system links the credential to the induction record. From that point forward, every entry and exit is logged against the induction-verified identity.
Refreshers and toolbox talks. Where a site policy requires periodic re-inductions, the access control system can be configured to flag workers due for refresher and require them to attend the site office before the next entry. The mechanic is the same — the turnstile holds the lock until the refresh is recorded.
Integration with online induction platforms is part of the wider workflow integration we cover in our integration article — the same data flow that supports CDM 2015 evidence also supports time and attendance, payroll and muster reporting.
The compliance value of access control is not that it provides physical security, although it does. The compliance value is that it provides evidence — timestamped, auditable, and resistant to disputes — that the principal contractor has done what CDM 2015 requires.
| Regulation 13 duty | Evidence the access control system produces |
| 13(1) Plan, manage and monitor the construction phase | Workforce data — who was on site, when, for how long, under which subcontractor |
| 13(4)(a) Suitable site induction provided | Induction status flag against every credential; uninducted workers blocked at the gate |
| 13(4)(b) Necessary steps to prevent unauthorised access | Locked-by-default rotor; valid-credential-required entry; logged attempts including failures |
| Audit trail for HSE inspection | Exportable entry and exit log, typically with worker name, subcontractor, credential type, timestamp, validation result |
The point is not that any single record satisfies HSE. The point is that the access control system makes the evidence available, on demand, in a form that HSE inspectors recognise.
When HSE inspects a UK construction site, it does so under the powers in the Health and Safety at Work etc Act 1974 and the inspectors look for evidence that CDM 2015 duties have been discharged. The audit trail an access control system produces typically covers:
The principal contractor’s CDM file (the construction phase plan, the health and safety file, the documentation pack the project carries through to completion) should reference the access control system and its data outputs. The system itself is not the evidence — the documentation that explains the system, references it, and pulls reports from it is.
For incidents that are reportable to HSE under RIDDOR (the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013), the access log provides a verified record of who was on site at the time of the incident. This is materially useful both for the principal contractor’s own investigation and for any subsequent HSE inquiry.
CSCS card verification sits across the CDM 2015 evidence trail. The CSCS card itself is industry consensus on minimum workforce competence — it indicates the worker holds the appropriate health and safety knowledge for their trade. CSCS Smart Check verifies the card in real time against the live CSCS database.
When access control is integrated with Smart Check:
For CDM 2015 purposes, this provides a documented basis for the principal contractor’s competence assurance — the duty to “take reasonable steps to satisfy” themselves about the skills, knowledge, experience and training of those on site. Our CSCS Smart Check article covers the verification process and the integration in detail.
The Building Safety Act 2022 has reinforced this further — it places a legal duty on individuals carrying out construction work to be competent for their roles. For the principal contractor evidencing how that competence is verified at the gate, the Smart Check log and the access control audit trail combine into the cleanest available record.
What does CDM 2015 actually require for site access? Regulation 13(4) of CDM 2015 requires the principal contractor to ensure (a) a suitable site induction is provided, (b) the necessary steps are taken to prevent access by unauthorised persons to the construction site, and (c) the welfare facilities required by Schedule 2 are provided. The first two duties — induction and unauthorised access prevention — are directly evidenced by a properly specified turnstile access control system.
Is a turnstile legally required on UK construction sites? No UK regulation specifies “you must install a turnstile”. Regulation 13(4)(b) requires the principal contractor to take the necessary steps to prevent unauthorised access. In practice, particularly on populated-area sites, a hoarded perimeter with a controlled, logged entry point is the standard way of evidencing that duty, and a turnstile is the standard pedestrian entry point.
What does HSE expect to see in an inspection? HSE inspectors expect evidence that CDM 2015 duties have been discharged. For access control specifically, that typically means: a documented site induction process, a secure perimeter with controlled entry, an auditable log of who has been on site, and credential management records. An access control system makes all of that available on demand.
Does CDM 2015 require online induction? CDM 2015 requires a “suitable site induction” — it does not specify the format. Online induction is widely used because it is auditable, consistent across the workforce, and integrates cleanly with access control credentials. Face-to-face induction on day one can supplement the online module. The combination of online pre-induction plus first-day enrolment is the typical UK construction pattern.
How long should access control logs be retained? CDM 2015 does not set a specific retention period for access logs. Most principal contractors retain access data for the duration of the project plus a defined window beyond completion — typically aligned with the construction phase plan retention period and any insurance, payroll or RIDDOR-related considerations. Retention should be documented in the principal contractor’s privacy notice and data protection records.
Who is responsible for CDM 2015 access control compliance on a construction site? The principal contractor carries the Regulation 13 duties. Contractors working on the site have a complementary duty under Regulation 15(10) — they must not begin work unless reasonable steps have been taken to prevent unauthorised access. In practice, the principal contractor specifies and operates the access control system, and contractors comply with the site access policy as a condition of working on the project.
Can a small construction project avoid the CDM 2015 access control duties? No. CDM 2015 applies to every UK construction project regardless of size. The duties are scaled to the nature and risk of the project — a small refurbishment will not need the same access control as a tower-crane city-centre new-build — but the underlying duty to take reasonable steps to prevent unauthorised access applies on every project.
What’s the difference between Regulation 13 and Regulation 15 on access? Regulation 13 sets the principal contractor’s duties (overall responsibility for planning, managing and monitoring the construction phase, including induction and preventing unauthorised access). Regulation 15(10) sets a complementary duty on every contractor on site: not to begin work unless reasonable steps have been taken to prevent unauthorised access. The two work together — the principal contractor specifies the access regime; contractors comply with it.
Veritech Security works with principal contractors, project managers, and construction businesses across the UK to design, install, integrate and manage construction site access control systems that protect sites throughout the full project lifecycle.
Our services relevant to CDM 2015 access compliance include turnstile access control systems that evidence the principal contractor’s Regulation 13(4)(b) duty to prevent unauthorised access; online induction integration with automatic gate-side blocking for uninducted workers; auditable entry and exit logs designed to satisfy HSE inspection; CSCS Smart Check integration for real-time card verification; SIA-licensed manned guarding and mobile patrols to maintain compliance out of hours; and 24/7 remote monitoring with verified response protocols.
We hold SIA approved contractor status alongside ISO 9001, ISO 14001, Constructionline, SafeContractor, RISQS, Achilles, and Cyber Essentials accreditations — the credentials that principal contractors and their insurers expect to see.
If you have a construction project that needs a security solution, speak to Veritech before the plant goes on site.
Call: 0800 799 9800 (available 24/7) Email: info@veritech-security.com Or: request a site security consultation online.

Head Office
18-20 Millbrook Road East,
Southampton, Hampshire, SO15 1HY
Tel: 0800 799 9800
Email: info@veritech-security.com
Hours: Monday - Sunday: Open 24 Hours
© 2026 Veritech Security is a trading name of Veritech Systems Limited | Company Registration No. 07095234 | Social Responsibility Policy | Sitemap | Privacy Policy | Policies and Procedures | Veritech Systems Limited holds SIA approved contractor status for Security Guarding, CCTV and Keyholding security services.
Simply complete our quick survey below