A system may include a plurality of different system components and/or subsystems. These subsystems may include software and/or hardware components. Components in a subsystem include functional components providing functions that may be activated by other components of the same or another subsystem. The components of a subsystem may communicate with each other by a local communication network. A system, (e.g., a safety critical system), may include embedded subsystems that communicate with each other and build up a larger, loosely coupled system having an unknown configuration at runtime. Such a loosely coupled system is often referred to as a cyber-physical system. A safety critical system may be, for instance, an intelligent power distribution network, a healthcare system, or a traffic control system. These kinds of systems may become safety critical due to associated risks during operation. With increasing complexity of such systems, the number of configurations of the system may either be almost infinite or even unknown at design time. Hence, a certification at design time of the system that does document a safe interaction for all possible configurations of all system participants at runtime may become undispensable. In a complex safety critical system, it has to be decided whether or not it is safe for a part or subsystem of such a safety critical system to interoperate with another part or subsystem at runtime of the safety critical system. This has to be decided even when the parts or subsystems of the safety critical system are supplied by different vendors and therefore their interaction becomes a matter of trust between the vendors.