The issue at play is "fault masking".
Let's forget e/stops for a moment, and talk about dual-channel guard switches.
You put two guard switches in series, Guard 1 and Guard 2. Guard 2 develops a fault, and one contact welds shut. Next time you open Guard 2, the safety relay/PLC sees the discrepancy and locks the safety out. Fault detected, everyone is happy.
But let's say you open Guard 1. Both channels to your safety relay turn off together. Safety relay is happy (although tripped, of course). Then you open Guard 2. Both channels are already broken by Guard 1, so safety relay still happy. Then you close Guard 2. Safety relay still happy. Then you close Guard 1. Both inputs come back on together, so the safety relay is happy and can now be reset. You opened and closed a guard with a faulty guard switch, and the fault was not detected - that is, the fault was masked. Safety relay happy, safety inspector, not happy!
Let's take it a step further, and suggest that maybe Guard 1 and Guard 2 are on a set of doors where Guard 1 closes over the top of Guard 2. This means that you physically can't open Guard 2 until Guard 1 is opened, and you will always close Guard 2 before closing Guard 1. If that's the case, you will never detect the fault on the Guard 2 guard switch. It will sit like that for years, until the other channel welds shut. Then it'll sit like that right up until someone closes Guard 1 with Guard 2 still swinging in the breeze, resets the safety circuit, and fires the machine up with a guard open. Safety relay happy, safety inspector (very) unhappy!
To swing back around to e/stops: there are different schools of thought on this, but some say that you can put them in series, and still meet Cat 4. The reasoning goes something like this...
For Cat 4, you have to establish that all faults will be detected at or before the next demand on the safety device. i.e. if a contact on your guard switch or e/stop fails open, you detect it immediately (before the next demand on the safety device), and if it fails closed (welds shut) you detect it next time you open the guard or press the e/stop (at the next demand on the safety device), because the safety circuit sees the discrepancy between channels when one of them opens and the other doesn't.
So, why can't you do it with guard switches, but can with e/stops? Because, you never press more than one e/stop. You press an e/stop, the machine stops. What rationale do you have for pressing another one? So from an operational point of view, it's easy to say that you will never have more than one e/stop pressed at a time, and to assess the chances of fault masking by virtue of these devices being in series as being negligible. Guard switches are a different matter. When you need to access a machine, you almost always open multiple guards to do so. So the likelihood of fault masking is much higher.
This is, of course, open to interpretation. But I've overseen many safety validations from internationally-renowned safety companies, and in most cases these machines have 10-15 e/stops into one pair of safety inputs (with a non-safety input for feedback as to which device is operated), and then every guard switch into it's own pair of inputs - and they get successfully validated as Cat 4. So those companies and their assessors obviously subscribe to this view.
