The nuclear industry uses a "defence in depth" approach - having backups for your backup systems - but cascading disasters and human error have overwhelmed those safety systems in Japan and pushed the country to the brink of a nuclear meltdown.
Japan's Fukushima Daiichi nuclear station was clearly designed to withstand the worst earthquake to hit the country in modern times, but key backup safety systems failed under the resulting blackout and a massive tsunami that inundated the area.
That's left a razor-thin margin of error for emergency crews working under enormous stress to prevent a meltdown that could spread radiation across their homeland. They've survived catastrophic natural disasters and explosions at the plant, but the failure to close a pressure gauge could lose the war.
The see-saw battle to regain mastery of the crippled plants has been hobbled by some design shortcomings at the 40-year-old facility - though the critical containment vessels appear to be intact. And there is a residual lack of trust in its operator, Tokyo Electric Power Company (TEPCO), which has an unfortunate history of hiding trouble from the public.
But the fundamental question is whether the global nuclear industry designs reactors to withstand a "perfect storm" situation, in which multiple calamities and human error conspire together to create what the industry calls a "low-probability, high-consequence event."
Former nuclear regulator Linda Keen said the industry is often inadequately prepared.
"In my experience, I found the nuclear engineers extremely optimistic," said Ms. Keen, former head of the Canadian Nuclear Safety Commission.
"They're optimistic about everything: how fast they're going to do things, the cost, the idea of whether you are going to have an accident or not."
Ms. Keen - who chaired an international safety panel during her tenure - said that the industry can be too fixated on individual threats and unprepared to cope with the multiple disasters that are unlikely but can occur.
"It's pretty clear that in Japan they didn't do the proper planning for the backup power. … There were ways of providing more defence in depth for that facility."
In fact, the Japanese are noted for their diligent approach to possible natural disasters, including preparing the population to participate in the response or evacuate quickly when necessary.
"When it comes to preparedness to a large catastrophic event, there is no society on the planet that is as prepared as Japan," said Stephen Flynn, a former disaster planner in the White House and now a Washington-based consultant.
"They're the gold standard. When it comes to earthquakes but also general civic preparedness, it's deeply part of their experience."
Mr. Flynn agreed, however, that even high-risk industries often fail to properly prepare for the cascading effects of multiple disasters. Such was the case at the Fukushima plant, where emergency power systems were left dangerously exposed to flooding from a tsunami.
One problem, Ms. Keen said, is that the Fukushima plant is 40 years old and doesn't have the same level of protection - thickness of outer containment walls, for example - as a modern plant.
At the same time, its owner, TEPCO, created suspicion among Japanese over safety issues unveiled in 2004, when the company's top executive had to resign in a scandal over doctored safety tests.
Ms. Keen said nuclear utilities and governments often down play the threat of contamination from an accident in the hopes that problems can be overcome.
Industry insiders insist that the nuclear fraternity places an enormous premium on safety, knowing that a serious accident can throw up major hurdles to the development of new plants.
"Our industry is known for being on the conservative side of design," said Duncan Hawthorne, chief executive at Ontario's Bruce Power and a board member of the World Association of Nuclear Operators, which was set up after the 1986 Chernobyl disaster.
But he acknowledged that the placement of diesel generators on the grounds outside the reactor building left them dangerously exposed to a tsunami, which was three metres higher than the plant had been designed for.
The loss of the diesel machines meant crews had to turn to battery powered generators to keep pumps operating to cool the reactor cores. Since those have given out, the workers have been using hoses to douse the reactor cores with sea water. That process resulted in a buildup of steam that requires venting, spreading low-level radiation, and the creation of hydrogen that caused explosions in at least two - perhaps three - of the outer containment buildings.
Harried crews have also apparently made some costly mistakes.
At one point, an air flow gauge was accidentally turned off, blocking the flow of water into the reactor. As a result, fuel rods in Fukushima's No. 2 reactor were exposed and began to melt.
In another incident, crews did not notice the remaining diesel generator had run out of fuel, interrupting the water flow for precious moments.
Mr. Hawthorne said the emergency crews are operating under the most dire conditions. Two of their colleagues were lost and presumed drowned while outside checking for earthquake damage when the tsunami hit.
"The only thing left standing in this area is the plant - you don't know where your family [is] you don't know what's happened, but you have a job to do and you have to stick on it."
Costly missteps at Fukushima Daiichi
Backup generators susceptible to tsunami: The plant designer prepared well for an earthquake, but backup generators and fuel tanks were located on lower ground, leaving them vulnerable to a tsunami that might be expected to occur from a massive offshore temblor.
Lack of adequate battery power: When some diesel generators needed to cool the reactor core failed, the crews resorted to battery powered pumps. But the batteries had an eight-hour lifespan, and the plant was not equipped with enough extras to maintain cooling efforts.
Poor communication: The Japanese head of the International Atomic Energy Agency complained of not getting timely or detailed information, as have domestic news media. As a result, the population is uncertain and panicky at the potential threat.
Running out of fuel: Water levels in No. 2 reactor fell after the diesel pump ran out of fuel and workers did not notice quickly enough.
Checking the gauges: Air pressure inside No. 2 reactor rose suddenly when the air flow gauge was accidentally turned off. That blocked the flow of water into the reactor, leading to the water level dropping and the exposure of the fuel rods.