An excellent demonstration how "safety" features which add significant complexity tend to fail. This time, luckily, it failed in a safe way, and the good thing is, you did have the self-test feature. Somebody else would have been lazier and just trusted their independent 555 safety circuit without actually self-testing it.
Long timeconstant analog delay circuits are iffy. If you had batch of capacitors with higher leakage that would not self-heal on the first run, and if your self-test were not present or failed, then the safety circuit would be nonfunctional, too, and against MOSFET failure, it would have been better to simply control the relay from the microcontroller.