As far as checking the checker, we use the PLC to do that. Just put use an input from every change in the stop circuit and program the logic...
In the Safety World, a redundant "checker", and subsequent redundant "checkers", must be at least at the same Safety Integrity Level (SIL) as the first "checker". Auxiliary contacts on Safety devices, wired back to standard PLC inputs, should only be used for status indication, or bringing the program cycle, not the hazard, to a desired state before a re-start. These auxiliary contact signals must not perform any part of the Safety Function i.e. bringing the system to a Safe State.
...All guarding should be triple redundant...
As Ian pointed out, not necessarily.
Guarding may use single, or dual redundancy, but rarely would use triple redundancy, even on presses.
Again, redundancy being of an equal Safety Level as the first, and second "checkers".
But more importantly...
1. ie a dry contact in the device in the e-stop circuit;
2. a separate dry contact in the e-stop RELAY circuit;
3. and of course in the PLC to indicate the fault...
...again these are auxiliary contacts and must not act as part of a Safety Function. This is not triple redundancy, but merely auxiliary status monitoring. The thinking here would be to enable a fault status if any one of those inputs were to change.
But, either way, this is not how the principle of triple redundancy works.
Triple redundancy uses a voting system that decides at what failure point will the Safety Function be triggered. The failure point is determined by a pre-selected voting architecture, such as 1-out-of-three (1oo3), or two-out-of-three (2oo3).
For example:
1oo3 Architecture
If one of three Safety Channels, i.e. one-out-of-three, on a guard interlock switch, were to fail open, the Safety Function must trip.
2oo3 Architecture
If one of three Safety Channels were to fail open, the Safety Function must not be triggered, as the other two Channels are voting to maintain the Safety Function. However, if a second Channel then failed open, two-out-of-three have now failed and the Safety Function must be tripped.
...Hugs and handshakes,
David