This is NOT what a dual channel emergency stop circuit means.
A dual channel emergency stop circuit is a method of using redundancy to eliminate a single point of failure in the safety monitoring circuit. This means using normally closed contacts, where both pairs are independently monitored by a safety rated relay or controller. Test pulses or coded voltages can also be used to achieve a higher safety rating and to eliminate the possibility of failure due to short-circuiting between channels.
No offense, but what you have proposed in this thread will not meet any kind of international safety standard requiring design using 'basic safety principals' whether that be Safety Integrity Level (SIL), Performance Level (PL) or Safety Category.
It is concerning the lack of knowledge and flippant recommendations that seems to be coming often from US posters regarding basic machine safety principals.
It is
not a requirement to cut the power to everything except the controller and HMI's.
The only requirement is that energy is removed from potential hazards, whether they be electric motors, pneumatic cylinders, hydraulic cylinders, or large pieces of machinery with kinetic energy and long run-down times such as large flywheels. This is most commonly done using safety rated components like safety contactors on the power circuits, safe-torque off inputs on variable speed drives, safety rated pneumatic/hydraulic dump valves, and solenoid or electromagnetically interlocked guarding.
You really need to do some more reading before jumping into this, or contact your local safety supplier such as SICK, Pilz, AB for some recommendations and help.
Even though this is geared to robot safety, this document has some good information on the fundamentals of designing a machine safety system.
Safety Categories, Performance
Levels and SILs for Machine
Safety Control Systems