There is probably no other single control point raising questions than metal detection and metal detectors. A properly designed and understood risk assessment and decision tree used in conjunction with a good dollop of common sense is an absolute requirement.
I will try and cover the thought process though, not following the rigours of the decision tree.
1. Where is any metal contamination going to come from, what type of metal and what size(s) of fragment.
2. Can these be eliminated or controlled so they are not a risk to a consumer of the candy?
3 If not, I would assume you are not regularly contamination your product on an ongoing basis, so, in the event of a metal detector failure, can you identify (through inspection for example) whether something has failed and contamination occurred, e.g. missing bits of a mixer blade.
The objective is to sell safe product, not product contaminated with pieces of metal which could cause injury. If you have a metal detector in place which fails, as long as an audit or inspection of the process and equipment shows nothing metallic is missing (you have to know your process well) and you do not have a history of product contamination, you will have a metal detector is useful as a failure alarm rather than a control and certainly not a CCP. Prevention is better than cure. Think due diligence in the event of detector failure rather than in-process failure.
I hope this sort of makes sense. I am a fan of metal detectors, but not a fan of metal detectors being CCPs as this tends to lead one down the route of no way out apart from dumping product, and normally there are other ways out.