Dear rotiboy,
If yr metal detector (MD) query is typical, I think you may hv misunderstood the decision tree and / or misunderstood the way to do a hazard analysis.
Assuming a Codex tree, Q2 is the classic route for a MD to be a CCP. (ie YY)
If you are doing a preliminary direct risk analysis, one approach is to ask oneself regarding the likelihood / consequences if there is a failure in the existing set-up. The (multiplied) choice for a MD is usually something like MM or MH which in most matrices will generate a significant risk.
I agree the logic chain is debatable, ie if you hv absolute trust in all yr system inputs / processes / environment, or you believe any failures will hv zero safety consequence, no CCPs or OPRPs will exist. This is a possible situation but not so common and not generally regarded as a typical result for metal detectors (despite the manufacturer's guarantee ).
The Codex tree is supposed to provide a nice auditor-friendly CCP generator in this case. Unfortunately, some other control measures are less smoothly conclusive (eg the baking step in bread making).
Of course, if you initially decide the hazard is not significant, i suppose you can self-define as many CPs as you like. Some people simply directly equate [an undefined] CP to oPRP, i personally find this a rather bizarre procedure but it happens.
Rgds / Charles.C