The characteristics of the CANDU reactor relevant to severe accidents are set by the inherent properties of the design and by the Canadian safety and licensing approach. The pressure-tube concept allows the separate, low-pressure, heavy-water moderator to act as a backup heat sink even if there is no water in the fuel channels. Should this also fail, the calandria shell itself can contain the debris, with heat being transferred to the water-filled shield tank around the core. Should the severe core damage sequence progress further, the shield tank and the concrete reactor vault significantly delay the challenge to containment. Furthermore, should core melt lead to containment overpressure, the containment behavior is such that leaks through the concrete containment wall reduce the possibility of catastrophic structural failure. The Canadian licensing philosophy requires that each accident, together with failure of each safety system in turn, be assessed (and specified dose limits met) as part of the design and licensing process. In response, designers have provided CANDUs with two independent dedicated shutdown systems, and the likelihood of anticipated transients without scram is negligible. Probabilistic safety assessment studies have been performed on operating CANDU plants and on the 4 x 880-MW(e) Darlington station now under construction; furthermore, a scoping risk assessment has been done for a CANDU 600-MW(e) plant. These studies indicate that the summed frequency of severe core damage is of the order of 5 x 10-6/yr. The CANDU nuclear plant designers and owner/operators share information and operational experience nationally and internationally through the CANDU Owners' Group. The research program generally emphasizes the unique aspects of the CANDU concept, such as heat removal through the moderator, but it has also contributed significantly to areas generic to most power reactors, such as hydrogen combustion, containment failure modes, fission-product chemistry, and high-temperature fuel behavior. Abnormal plant operating procedures are aimed at first using event-specific emergency operating procedures in cases where the event can be diagnosed. If this is not possible, generic procedures are followed to control critical safety parameters and manage the accident.