Re: safety controller ?
you need to identify potential failures. Say your thermocouple failed on the first controller - the microprocessor is still working and should be able to identify the failure and take the appropriate action. In the case where your microcontroller has failed for whatever reason, the 'watchdog' or charge pump controlling the changeover relay would stop being 'kicked' and therefore the relay would drop out. If the controller is working correctly, your controller would toggle a port pin to kick the watchdog/ charge pump.
Therefore your watchdog circuit would drop the relay out if:
1/the unit lost power
2/the microcontroller stopped executing
3/a failure was detected
In addition, I would have at least thermal fuse or bimetal thermal switch in line with the heater in case the heater was turned fully on and caused an overtemperature condition. Never trust a computer!
The design of critical systems is outlined in an European Union document EN6xxxx whose exact number escapes me at the moment regarding machine safety and safety systems. I'd suggest you do a Google for this.