for my device I have:

P1: the probability that a hazardous situation occurs may depend on my device of course, and I can introduce some control measures to reduce it. In some cases I think that, after risk control measures are implemented, P1 can be considered equal to zero (except in case of fault), so my question: can I consider P1=zero in normal condition? (I suppose I can't).

P2: the probability that a hazardous situation (caused by my device) leads to harms is completely independent of my device but it can be due to failure or misuse of other risk reduction measures (other devices or procedures not under my control). I guess I cannot use the possibility of success (or failure) of other risk reduction measures to change P2.

S: the same hazard/hazardous situation can generate harms with different severity degree (from no symptoms to death), and this depends only on the individual reaction: I consider only the worst case.

Unless I can reduce P1 to zero, even if I reduce P1 to its lowest level, my residual risk still falls under the category “to be reduced as far as possible” because I cannot reduce P2 neither S.

As my device is requested and recognized as one of the cumulative methods to reduce the possibility that the hazardous situation occurs, should I stop here and evaluate the risk/benefit profile?

More generally, I'm not sure the way I'm thinking to this process is correct.

Could someone give my an opinion?

Thank you!!