On October 26, 2019, two people died at an Aghorn Operating waterflood station outside Odessa, Texas. The U.S. Chemical Safety Board's final report names seven independent failures that aligned in a single afternoon. None of the failures felt critical alone. All of them were lethal together. That is the Swiss cheese model in its purest form, and it is the model every HSE program in upstream oil and gas is supposed to be defending against. This is a review of the seven holes, why each is more common than operators want to admit, and what defense in depth actually looks like when it is wired into daily operations rather than written on a wall.
The Statistics Behind the Story
Before the incident, the operator-facing numbers were already clear. NIOSH's Surveillance Summary of fatalities in oil and gas extraction over the 2014 to 2019 window documents 470 worker deaths in the upstream United States. Roughly one in ten of those deaths came from contact with a harmful substance, and hydrogen sulfide is the hazard operators rank highest when they are honest about it. More than one in five of the same 470 deaths happened to a worker who was alone at the time. Almost a third of the incidents in the dataset occurred in the Permian Basin, which is the geography Aghorn Operating runs in.
Two stats, one geography, and an industry that knows what they mean. The Aghorn case is the story those numbers tell when they meet a real pump house.
October 26, 2019. Odessa, Texas.
Jacob Dean drove to an Aghorn Operating waterflood station to silence an alarm on a produced-water pump. Routine call. He had run the same task many times.
His wife Natalee drove out hours later, worried she could not reach him.
Neither one came home.
The U.S. Chemical Safety Board investigated and published the case file at csb.gov. The report is the authoritative source for every fact below.
Jacob closed two block valves to isolate the pump and began work. He did not perform lockout/tagout on the pump's control circuit. The pump was wired for auto-restart. While he was standing in the building, the pump cycled back on. Produced water moved. Hydrogen sulfide flashed into the air.
His personal H2S monitor was in his truck.
The facility's H2S detection panel was not functioning. Two installed alarms never triggered.
The pump house had no forced ventilation.
When Natalee could not reach him, she drove to the site to check on him. The site gate was unlocked, the informal policy when an employee was on site. She walked into the same vapor space and into the same fatal exposure.
Two people. Seven simultaneous failures.
Get the WorkSync Field Ops Brief
Monthly read for upstream + midstream operations leaders. Case studies, benchmarks, and what's changing in the field. Unsubscribe anytime.
The Seven Holes
This is the list from the CSB report, restated in operator language:
- No LOTO before work on rotating equipment. Block valves were closed, but the electrical control circuit on the pump was not isolated. The pump could restart on its own logic and did.
- Auto-restart with no occupancy interlock. A pump that can come back on while a person is standing next to it is a hazard waiting for a witness. There was no interlock between the control circuit and any indication that a worker was in the vapor envelope.
- Personal H2S monitor not worn. Jacob's monitor was in his truck. Industry standard practice is that a personal monitor is part of the person, not part of the vehicle.
- No written policy requiring the monitor to be worn. The expectation existed in conversation. It was not in writing, not enforced, not tracked.
- Non-functional facility H2S detection panel. The fixed detection system that was supposed to be the second layer above the personal monitor was offline. Two installed alarm devices did not trip during the release.
- No forced ventilation in the pump house. The building had no mechanical air movement. Once H2S flashed inside, the concentration sat at the breathing zone with nowhere to go.
- Unlocked site gate. Informal site-access policy meant anyone arriving while an employee was present could walk straight in. Natalee did.
Catch any one of those holes and Jacob lives. Catch one more and Natalee lives.
This is the Swiss cheese model in human form. Every defense layer had a hole. None of the holes felt critical alone. All of them were lethal together.
Defense in Depth Is Not Paperwork
Defense in depth as a concept has been part of every HSE leadership conversation in oil and gas for two decades. The phrase is on posters in field offices, in onboarding decks, in the front matter of HSE management system documents. Aghorn had it in writing too.
The problem the Aghorn report makes plain is that defense in depth is not what is written down. It is what is wired into the day.
There is no single safety system that wins alone.
A working H2S detection panel does not save you if no one wears a personal monitor.
A personal monitor does not save you if the worker walks into a building with no ventilation and gets one breath above the threshold.
A ventilated building does not save you if the gate is unlocked and a second person walks into the same vapor space.
LOTO does not save you if the pump can auto-restart through controls that were never isolated.
Every layer in the model only matters because the other layers might fail. The layers do not substitute for one another. They compound. That is the entire premise, and it is the premise that gets quietly violated every time an operator says "we have a panel" or "we have a procedure" and treats it as the single line of defense.
Why Each Hole Is More Common Than Operators Want to Admit
The first reaction to a case like Aghorn is to call it an outlier. The numbers say otherwise. Each of the seven failures is documented elsewhere in the same NIOSH dataset and across the OSHA citation record for upstream oil and gas.
LOTO failures on rotating equipment are a recurring root cause in fatal-incident write-ups. They happen because the worker isolates the obvious flow path (the valves) and not the energy source (the controls). It is a training gap, but it is also an equipment gap: many pumps in service do not have a visible, lockable disconnect at the local panel.
Personal-monitor non-wear is the most common HSE compliance gap field supervisors report when asked privately. Monitors get left in the truck because they alarm spuriously, because the worker is briefly on site for a five-minute check, because the battery is flat and there is no spare, because nobody is going to be checking. None of those reasons appear in the procedure binder. All of them appear in the daily workflow.
Non-functional fixed detection is a maintenance backlog problem. Calibration falls behind, sensors drift, a panel goes dark and gets put on a list. Nothing alarms because the system that was supposed to alarm is offline.
Auto-restart without occupancy interlock is an as-built reality of a great deal of installed equipment. The fix is not abstract; it is electrical work on a known list of buildings.
Pump houses without forced ventilation are common in older installations across the Permian and across the legacy fields of every U.S. basin. Retrofit is not free, but the cost is sized in thousands per building, not millions.
Unlocked gate policy is the easiest hole to close and the one that gets closed last because it is administrative, not capital.
None of these holes is exotic. None of them is operator-specific. The Aghorn incident is what happens when an operation runs with all of them open at the same time.
What the Operators Doing This Well Actually Do
The operators with the strongest H2S records in the Permian and the rest of the Lower 48 do not have better posters. They have a few specific operating practices that show up across every program that demonstrably moves the needle, and they have them wired into how shifts run, not into how audits read.
Every entry into an H2S service area is treated as a confined-space-grade event with respect to monitoring. Personal monitor worn at the breathing zone, calibrated and bumped that shift, paired with a written pre-entry check. The check is in a system, not in the worker's head.
Lone work in H2S service is eliminated by default. If a task in an H2S area cannot be completed by a single person without entering the vapor envelope, the task is rescheduled, paired, or remoted. The decision logic is on the dispatch side, not on the worker's side, so it does not depend on a tired pumper making the right call at the end of a long route.
Fixed detection panels are on a calibration and uptime SLA the operations leader signs for. A panel that has been offline for a week is a top-of-page item on a daily ops review, not a line in a maintenance backlog.
LOTO procedures name the control circuit, not just the flow path, and the workforce is trained on isolating the energy source. Disconnect switches are installed at locations they are missing, and a known list of installed equipment without a local lockable disconnect is being closed out over a defined period.
Forced ventilation is added to pump houses and other enclosed buildings in H2S service, on a prioritized list driven by sour-service severity. The list has a finish date, and the finish date is communicated to the workforce.
Site access is closed by default. Gates are locked even when an employee is on site. Family or third-party arrival requires a controlled entry and an awareness check.
Near-miss reporting is treated as the leading indicator. TRIR and lost-time rates are too coarse to predict the next fatality; events per worker-month, classified by hazard and by failure mode, are the dataset that signals where the next case will come from. Operators who have seen step-changes in fatality risk over the last decade have generally seen a parallel step-change in near-miss reporting volume, because the workforce is convinced that reporting is safe.
None of those practices is novel. None of them requires a new product. All of them require a culture where every layer is treated as both load-bearing and fallible.
Why WorkSync Cares About This
There is no claim being made here that any software would have saved Jacob and Natalee Dean. The Aghorn case is what it is. The CSB report does the assignment of cause, and the families do the grieving.
The reason we are writing about it is older than the company. WorkSync started in safety. The first question the founding team asked was how technology can make oil and gas operations safer. Every product that followed traces back to that question, and we are not done answering it.
What software can do, honestly stated, is small but compounding. A field intelligence layer can track whether a personal monitor has been bump-tested and worn on the shift it was assigned to. A connected-worker pattern can flag a lone entry into an H2S service area before the worker is in the building, not after. A live integration to the fixed-detection panel can put "calibrated and online" into the dispatch decision rather than the maintenance backlog. Exposure tracking by worker, by site, and by shift moves the dataset from anecdote to ledger, which is where leading indicators have to live to be useful. The WellOPS Field Data Capture layer and the Willie voice agent that sits inside it are the parts of our platform that touch this surface directly.
None of that is a substitute for the seven items in the list above. It is a way to make sure those seven items get done every shift, on every site, with a record that the operator can act on the next morning. That is what defense in depth looks like when it is wired into operations rather than written on a wall.
Three Diagnostic Questions Worth a Week
Run these for your own operation. They are the questions the Aghorn report would have asked the morning of October 25.
Do the people on shift understand the specific exposure risks of the tasks they are about to run? Can they name the H2S service areas, the lone-entry restrictions, the LOTO points on the rotating equipment, and the working state of the fixed-detection panel they are about to rely on?
Do you track personal-monitor wear, bump-test compliance, and H2S exposure events at the worker level and the site level? Can you tell the difference between a workforce that wears monitors and a workforce that carries them?
Does the leadership team know, at the end of the shift, that every worker came home? Not as a statement of values. As a record. Auditable, by site, by name, every shift.
The operators we have worked with who can answer all three questions honestly have moved the underlying numbers. The ones who cannot are running with at least one hole in the cheese, and probably more.
Zero Is Possible When Every Layer Holds
The phrase "zero is possible" gets used a lot in oil and gas safety language. It is true. It is also conditional. Zero is possible when every layer of the defense holds, every shift, every site, every time. Zero is not a slogan. It is the load-bearing outcome of seven things going right when any one of them going wrong would be the case file.
Aghorn was not a mystery. It was a checklist no one ran.
In memory of Jacob and Natalee Dean.
Source: U.S. Chemical Safety Board final investigation report on the 2019 Aghorn Operating H2S release (csb.gov). NIOSH MMWR Surveillance Summary, Fatalities in Oil and Gas Extraction, 2014 to 2019 (cdc.gov/mmwr).
