tdracer

OK, fair enough (I was in a bit of a bad mood last night anyway - had to take the dog in for surgery yesterday and I was rather stressed about the whole thing).
But you need to keep in mind that the redundancy is always connected to the perceived system criticality. The autothrottle was always intended as an aid - not a flight critical system - and there are a number of single failures that can adversely affect the Autothrottle functionality. That's why pilots need to be trained that they need to monitor the system and not just assume it'll do the right thing (and shame on any training program that does not emphasize that fact). Just a few examples, pre-FADEC, is was not particularly uncommon for high downstream cable loads to overwhelm the clutch and cause one throttle to not move (or not move as much) - and even with FADEC, if someone drops something like a pencil down in the throttle quadrant, it can restrict a throttle. On the 747, 757, and 767, the autothrottle drive is a single worm gear - if that gear fails the autothrottle can't move the throttles. As a propulsion guy, we never assumed the autothrottle would always work properly - it made our job harder but we designed for it. The pilots needed to be trained for it as well (I was told that the 787 A/T was designed as a flight critical DAL A system - a first for Boeing Commercial, but I don't know details).

All the issues with MCAS trace back to one simple mistake - MCAS was not determined to be a flight critical system. While this appears incredibly dumb with 20-20 hindsight, it was assumed that an MCAS malfunction was no worse than major and it was designed as a DAL C system. Using a single input for a DAL C system is very normal and acceptable. It's only after people died that it was realized MCAS was flight critical and needed to be designed as such with appropriate levels of redundancy.