News

The Building Safety Act 2022, the Higher-Risk Buildings (Key Building Information) Regulations, and the post-Grenfell shift in regulatory expectation have moved fire safety compliance software from a "nice-to-have" to a procurement-critical system. Building owners, principal contractors, and FM providers are increasingly asked — by insurers, the Building Safety Regulator, residents, and auditors — to evidence not just that work was done, but who did it, when, what product was used, where it sits in the building, and what its current status is.

That has rapidly compressed a market that, five years ago, was a scattered mix of spreadsheets, generic CAFM platforms, and bespoke databases. Today there is a recognisable category of fire safety compliance and golden thread software, with established UK players, newer entrants, and a growing tier of generic FM tools bolting on fire modules.

This guide is intended for procurement leads, building safety managers, FM directors, and main contractors evaluating that market. It does not rank vendors. It sets out the questions a credible procurement process should ask, and points to platforms where evidence is publicly verifiable.

The procurement checklist

1. Building Safety Act alignment

Ask the vendor specifically: how does the platform support the duty-holder regime under Part 4 of the Building Safety Act, and how does it support the Key Building Information return? Generic "BSA-ready" marketing claims should be backed by feature-level evidence — version-controlled drawings, structured asset registers, change-control on safety-critical works, and exportable evidence packs.

2. The golden thread

The HSE Building Safety Regulator's published guidance describes the golden thread as the information that allows a building to be designed, constructed, occupied and maintained safely. In practical software terms that means: digital floor plans with a permanent audit trail of changes; structured records of every safety-critical asset and its history; document version control; and read access for the people who need it (clients, residents, auditors, insurers). Ask to see this end-to-end in a demo, not described in a slide.

3. Asset coverage

A genuine fire safety compliance platform should handle, at minimum: passive fire (fire stopping, fire doors, fire dampers, compartmentation), active fire systems (alarms, sprinklers, suppression), and the associated documentary evidence (RAMS, permits, certification, manufacturer data sheets). Many platforms cover one slice well and the rest superficially. A serious estate-wide tool should also handle adjacent compliance — asbestos, water hygiene under ACoP L8, electrical, external wall systems — because in practice these are documented against the same drawings.

4. Audit trail and evidence integrity

Every record should be timestamped, attributable to a named user, and immutable in the sense that historical states are preserved rather than overwritten. Photographic evidence should be tied to a specific asset (a "pin" on a drawing, or equivalent), to a date, and ideally to a device location. This is the difference between evidence that survives an audit and evidence that gets challenged.

5. Information security and UK data residency

Fire safety records about higher-risk buildings are sensitive. Ask for the vendor's ISO/IEC 27001 status, Cyber Essentials, where data is hosted (UK or otherwise), encryption standards in transit and at rest, tenant isolation architecture, and whether staff with production access are BPSS-cleared or equivalent. For public sector buyers, G-Cloud framework presence is a useful indicator.

6. Integration and data portability

A platform that locks data inside a proprietary format is a procurement risk. Ask: is there a public API? Can you export your data in standard formats (PDF, CSV, XLSX)? What happens to your data at the end of the contract? A documented public API and contractual data-portability commitments are the right answers.

7. UK support model

Compliance work happens in real time, on-site. When something doesn't work, the operative cannot wait three days for a ticket from an offshore queue. Ask where the support team is based, what hours they cover, and what the named escalation route is.

8. Customer references in your sector

The most honest signal a vendor can give is a named, contactable reference in your sector with a deployment older than 18 months. Ask. Vendors with genuine long-term customers will produce them; vendors without, won't.

Platforms operating in the UK market

The following are platforms that publicly trade in this space in the UK. Coverage and depth vary; this is not a ranking.

Bolster Systems

UK-headquartered, trading since 2014, with documented long-term deployments including Manchester University NHS Foundation Trust and its PFI Consortium Partners since 2016. Coverage spans passive fire (fire stopping, fire doors, fire dampers), active fire systems, asbestos, water hygiene, electrical, external wall systems, and broader asset and project management against drawings.

The platform is hosted entirely in UK AWS regions, holds Cyber Essentials Plus, ISO 9001 certification, is approved on G-Cloud 13, and has ISO/IEC 27001 . Bolster supports 3rd-party API integrations, offers UK-based support, and is used by over 1,000 companies in the UK and beyond.

PlanRadar

Vienna-headquartered construction and FM platform with a fire safety module. Works for general construction defect management; fire safety is one of many use cases rather than the primary design centre.

Joblogic / Re-flow / BigChange

Broader field service / FM platforms are used by some fire safety contractors. Fire safety is a configuration of a general workflow tool rather than a purpose-built compliance platform.

Spreadsheets and SharePoint

Still the most common "platform" in the UK fire safety market. Will not survive a Building Safety Regulator audit on a higher-risk building.

The questions to take into a demo

Take this list. Ask each vendor the same questions, in the same order, and score the answers.

1. Show me how a single fire damper is recorded, inspected over five years, and exported as evidence to an auditor.
2. Show me how I revoke a contractor's access to one site without affecting other sites.
3. Show me the public API documentation.
4. Show me your latest independent penetration test summary (under NDA if needed).
5. Give me the name and contact of a customer in my sector with a deployment older than two years.
6. Where is the data hosted, and what happens to it on contract end?
7. What is your average support response time, and how is it measured?
8. What is your roadmap commitment to the BSA Key Building Information return?

If a vendor can answer all eight without deflection, they are a credible candidate. If they can't, you have your answer.