Just one thing to be careful of.
When most uC's are started up, their output registers can be in a random state.
Which means that even if you have the 1st few lines of your code set all the registers to 0, and their DDR to outputs, it may already be too late. The outputs could have already randomly fired at switch on.
My high-power rocket launch controller is designed to that no single point of failure can cause a launch-capable fault.
Each firing channel has two high power mosfets. A high fet and a low fet. The ignitor connects between the two. The gates are driven through pulse transformers and series capacitors. The circuit is designed so that you must supply several hundred milliseconds of 30 kHz drive before the FETs can turn on. No "stuck-at" fault will cause a firing condition. The high FET drive and low FET drive come from two independent sources (a timer output and a bit banged signal... both from different ports).
The FET outputs are biased slightly above Vbatt/2 and below Vbatt/2 with high resistance dividers (multiple non-SMD resistors in series so no shorted part can cause more than 1mA to flow). The outputs are continuously monitored and shorted FET or anomalous condition will shut down the system.