To operate real-time, distributed, safety critical systems, their logical and temporal correctness must be validated against strict safety requirements. International committees, like CENELEC, produced standards that define appropriate life cycle and techniques to be used in all the phases of development and V&V process. However the guidelines given by the norms are quite general: a more detailed methodology is needed to exhaustibly cover all the aspects of complex system. This paper describes the hazard analysis methodology defined and used in ASF (Ansaldo Segnalamento Ferroviario) and the results obtained by its application to the ERTMS/ETCS system. This methodology is divided in several phases: first, all the functional and architectural components and their interfaces are identified, then all possible hazard scenarios are identified. These scenarios are then analyzed in a series of hazard workshops and traced in a log, the hazard log, which records also measures needed to mitigate them. Mitigations become new requirements for the systems: only providing evidence of their correct implementation the system can be certified to be safe.