SAFE is a member-governed, not-for-profit enterprise that: Manages and promotes the SAFE standard Provides a legal and contractual framework Provides technical infrastructure to bridge different credentialing systems Provides SAFE identity credentials, both directly and through vendors Supports vendors who supply SAFE-enabled products. SAFE project initiated in November 2003

Pharma A Pharma B Pharma XPharma C Site ID Pharma D User ID/ Password Current environment Many Credentials Access control Only Physical paper signing required High user complexity High cost SAFE environment One Credential Access control and eSignature Eliminate paper signatures Lower aggregate costs

SAFE-BioPharma Association incorporated May 2005  AstraZeneca  Bristol-Myers Squibb  GlaxoSmithKline  Genzyme  Johnson & Johnson  Merck  Nektar  Organon  Pfizer  Procter & Gamble  Roche  Sanofi-Aventis

Pfizer: eLab Notebooks Regulatory submissions AstraZeneca: 150+ regulatory submissions via FDA’s ESG: 2252, 1571, 356h and eCTD GSK: eCTD submissions J&J: All J&J certificates are SAFE P&G: Enterprise digital signature 4,500 eLab Notebooks ePurchasing eHR – forms ePatent Filings BMS: External partner authentication

SAFE Member reps with QA/Compliance/Reg backgrounds FDA key offices engaged since inception Jointly-developed SAFE/FDA Auditor Familiarization Program FDA statement on SAFE Complies with appropriate guidance, especially as related to 21CFR11 When used as the basis for implementation of a digital signature capability, the SAFE standard facilitates user compliance with 21CFR11 SAFE-FDA Auditor/Compliance Workshop Training audit of SAFE-signed submission The FDA’s goal is to eliminate paper from application receipt and review processes. A paperless application process must include legally binding electronic signatures.

Participants SAFE Evaluation Team: EMEA, GSK, Organon, Pfizer SAFE EU Advisory Council EU and Member State regulations EU implementations Next Steps eCTD submission by SAFE member Auditor workshop – EMEA and Member State Regulators The SAFE Evaluation Team (EMEA, EFPIA, Companies) determined that SAFE meets EU Electronic Signature and Clinical Trial Directives requirements.

Adobe Aladdin Arcot Bearing Point CoreStreet Cybertrust SAFE Premier Partners ARX DataLabs IntraLinks Solabs Open Text SAFE Issuers Citibank Cybertrust IdenTrust J&J BMS P&G SAFE Partners IBM IDBS Microsoft Northrop Grumman

FBCA cross certification In progress, mid-2007 Token-less Credentials Simplify deployment to Research Partners

Existing PKI Cross certified with SAFE September 2005 Issued ~75,000 certificates to date (employees, partners) Regulatory Filings Remote Access (VPN) Policies require two-factor authentication Signed/Encrypted Certificate-based logon – to the LAN and applications Hard disk (“media”) and file/folder encryption Digital Signatures QA documentation System Build documentation Site Monitor Trip Reports E-Trial Master File application