Mehdi, realistically no-one can make something 100% safe. I'm not sure about the requirements of medical equipment but most other devices that could cause death or injury need to be proven statistically that a failure might occur 1/10^9. There was an article in Circuit Cellar that went through the whole process. Nevertheless - in many cases the requirement is that a major failure cannot be caused by one item, two or more is acceptable BUT only if you can detect a single unit failure. At a guess, I would consider a failure of your unit to be either no heat or too much heat. You need to analyse what might cause either of these two conditions and add a safeguard so that a failure can be detected. This requires a bit of creative thinking. Say you add a mechanical thermostat as your safeguard - how could the system test that for failure? Also, remember that your microprocessor can't be trusted - extra hardware must be added to ensure the microprocessor behaves. If something goes wrong - you have to fail safe - turn off the heater and start beeping loudly. Even the relay to control the heater can't be trusted -what happens if that fails? How would you test that relay and cope with its failure?

Safe design starts early - use conservatively rated components. don't use a 5A relay to switch 3A, use a 10A and so on. In your software, have you used formal design methods to show the exact operation of your code. Have you used defensive programming techniques to catch errors and to handle them? Many of these things are trivial to include in the design stage but difficult to add to a finished product.

Do a search of 'therac 25' to see what happens when no safeguards are put in place.