The way I have implemented these control systems for temperature and my home heating in the past has been more strict that this project.
In my heating control I do not rely on anything, or any device to turn something OFF. OFF is just the default state and if nothing demands otherwise it turns off an stays off. That extends down to the firmware on the boiler controller noting the expiry on the control message to turn it ON and if that time expires and nobody has updated it, the firmware switches the relay off. (I confess this code is still not deployed on the relay device... shame.. it is contained in the HTTP controller for it)
They way this works is, something sends an update to a temp, that results in a need for heating. A "demand" is raised with a time stamp and an expiry of 5 minutes. The heating will now be on for 5 minutes unless something specifically turns it off. The system will constantly strive to maintain that it stays ON, even if you try and manual turn it off or reboot something. It will not give up. However, if the Gods strike the house and the server goes on fire, that demand will expire and the heating will turn off. However, assuming the world is normal and nice, the demand will be continually refreshed until it's no longer necessary, when it will be left to expire.
It's fault tolerant is most cases as it defaults back to safe. The only component that could fail and leave the heating on is the MCU controlling the relay locking up with the relay closed. Not yet, but I have plans for that also, certainly in terms of monitoring the health of my sheep (wifi devices) to keep tabs on them and raise alarm if one of them is offline.... especially if it's in a dangerous state when it did so, such as "ON".