Thanks for the compliment.
Yeah, 30% over MLW, I'd say that the risk of breaking something significant during landing were significant. Not certain, but high enough I'd not want to try it given any reasonable alternative.
The 10^9 is a difficult concept to define explain simply, because there's a certain amount of creative analysis which goes on to achieve that. However, it's not a description of the standards required of any single system - generally it's a per flying hour risk of an airframe loss.
You can't, for example, reasonably expect a hydraulic system to go totally tits up only once every 10^9 hours. On the other hand, no less often than every 10,000 hours is perfectly reasonable.
Put three hydraulic systems in the aeroplane - each with 1:10^4 risk per hour of going totally wrong. The risk of all three going wrong in the same hour becomes 1: ( 10^4 ^ 3) = 10^12. That's much better than 10^9, and it can be accepted. Pretty much every safety critical system on the aeroplane is certified on that basis - hence multiple electrical, hydraulic, avionic systems on the basis of known minimum reliabilities and a bit of maths.
There's a second principle that's fundamental to part 25 aircraft certification, and comes into play here as well - also involving our old chum James Reason and his famous Swiss Cheese. The principle is that it's totally unacceptable for any single event to cause an airframe loss. If you think back for example to the fleet grounding of Concorde after the Paris crash - the reason for that was that once it was identified that a single fault (lump of metal on the runway) had demonstrated the ability to cause an airframe loss, the type immediately had its Type Certificate suspended.
I'm no expert on the 787, but exactly the same principle will have been applied by FAA and EASA here. Taking the engine failure as a single event, it's totally unacceptable for that to be able to cause an airframe loss. There must be a second failure, totally independently, for that to be able to occur. By independently, I mean that it can't have been caused by the engine failure mode, or by your entirely predictable action of dumping fuel.
A great many people in Seattle, and their computers, will have spent hundreds of man-years modelling and heading off all such events well before even the flight test programme. So, if you've only had that single event, staying airborne to dump fuel should - within the parameters of certification - be a reasonable act.
If something else fails, then you need to apply some thought to the consequences of the double failure - I'm sure there are sim instructors who can create scenarios where you might want to consider landing over MLW at that point, although hopefully the real aviation gods will be kinder than the ground based ones.
G