The more highly automated road vehicles become, the more complex get their control systems along with the taskto identify and reach the safest possible state at an acceptablyhigh probability in as many operational situations as possible. In this paper, we outline a modeling formalism for hazard-mitigating controllers capable of run-time hazard identificationand mitigation. This formalism equips the safety engineer withan incremental approach to (i) identify hazard casual factors andwhole endangerment scenarios and (ii) derive operational strategies for mitigating these scenarios. We exemplify the conceptionof fail-safe control strategies as well as the allocation of suchstrategies to a control system architecture.