I can see several single point failure modes that would result in an energized output. With no warning unless you tap the clips together.
1) RLY1 contacts shorted. A not uncommon failure mode.
2) Q1 fails energizing RLY1
3) The Arduino fails turning on Q1.
At the bare minimum there should be an audible warning if the relay is closed. Better would be to include that and remove the single point failure modes.
The simplest being to have the relay switch the high side when the arm key switch on the controller is enabled. Then use a low Rds(on) FET to switch the low side. You might need a FET driver to fully enhance it. (The MIC5018 is my favorite.)
In addition a pad side safe/arm switch that disconnects the igniter outputs from the electronics is a very good idea. (DARS has had good results with 20A DPDT toggle switches.) Otherwise this system is totally dependent on the software operating correctly. Proving software correctness (not only what you write but in the Arduino libraries and in the XBee) is hard.
The keyswitch is wasted as it serves no useful purpose.
Then to the point of driving the high side...
I am attaching a modified schematic to try and capture your thoughts...
View attachment Launch Pad_Control Shield Alt.pdf