See also United 232 http://en.wikipedia.org/wiki/United_Airlines_Flight_232. The DC10 has three separate hydraulics systems, therefore the probability of all three failing is p^-3 right?? But wait, the lines are all grouped together through the tail, meaning if one is severed there, the other two are likely to be severed as well.
You might conclude from this that airliner designers are fools. An airliner is a very complex machine, and can have unexpected interactions between its components. Look at the other side:
1. the airframe held together despite an explosion at the back. The rudder and horizontal stabilizer stayed on.
2. the aircrew figured out how to control the airplane with no hydraulics, i.e. there was still some redundancy in the system.
3. the landing gear was designed so it could be extended and locked with no hydraulic power, and that worked
4. if the airplane or aircrew was any less, nobody would have survived
5. electric power stayed on
And, airframe companies learn from these disasters, which is why airplane travel is incredibly safe. Boeing airliners, for example, do not locate critical components inline with the turbines. Hydraulic lines do not extend past the inboard engine. There are a number of other improvements as well.
Having worked on 757 flight controls for three years, I can assure you that none of the engineers want any part of a defective design. None want to make any decisions that lead to a smoking hole in the ground. An awful lot of effort is spent pouring over the designs again and again looking for mistakes.
I don't know if they existed at design time, but hydraulic fuses could have prevented draining of all the fluid. That makes the design take longer, increases weight, introduces new scenarios such as the fuse activating when it shouldn't, increases cost, and increases maintenance & parts (cost of ownership).
As with these matters there is no one true correct answer, but rather a very complicated set of tradeoffs and probability estimates. In hindsight it is easy to see designs as defective, but they could all be done in good faith.
No offense meant to aircraft designers, my point is just that it's a common fallacy to assume that probabilistic events are independent when they are in fact dependent in some ways. In the case of debris penetrating the tail, if one hydraulic line is severed, the probability of the other two also being severed is high, therefore the probability of a triple failure is not equal to p^-3; you must add to that the probability of this single catastrophic event occurring.
