Nerve Blue Features

Nerve documentation

System Architecture

Nerve Blue offers an open architecture that can be used to host and manage Docker containers, virtual machines and IEC 61131-3 PLC applications. In addition, Nerve provides Data Services which enable you to connect, collect, store and visualize data at the edge and in the cloud.

Nerve Blue is designed for industrial environments – it features unique workflows ideally suited for production facilities and machines. Typical applications include Windows VMs for HMI or SCADA, containers running predictive maintenance code, and 61131-3 programs to connect to fieldbus devices or to control the operation of a machine.


Nerve Blue Elements

Nerve Blue comprises two main elements: the centralized Nerve Management System that runs on-premise or in the cloud, and the Nerve Node software that is installed on standard edge devices connected to machines on the shop floor.

  • Nerve Node software is installed on an edge device. The system is Linux-based with a User Space that makes use of a real-time hypervisor and Docker container support. In addition, Nerve Node software contains all services for communication with the Management System, remote access, logging, monitoring and patching.

  • The Nerve Management System is an on-premise or cloud-based software for central management of connected nodes. It enables users to update Nerve Node software and deploy workloads, as well as offering remote connection to nodes for device monitoring and central logging.

  • The User Space is the place where all user applications (known as workloads) can be installed and run on nodes. Workloads can be Docker containers, virtual machines or CODESYS 61131-3 Soft PLC applications.

  • The Workload Repository holds the workload images and configurations that are available to deploy to nodes. Here, users can define settings and parameters for each workload. It also supports versioning of workloads for application updates.

  • Nerve Data Services are a collection of features supporting users with data connectivity, storage and visualization. A multi-protocol data gateway is available on each node. Data storage and visualization are available on each node and in the Management System. The integrated Soft PLC can also be used to connect to fieldbus devices. Nerve Blue comes with an SDK to easily create Python applications that communicate with the Data Services.

  • Nerve Blue integrates a CODESYS Soft PLC supporting PROFINET, EtherCAT and Modbus protocols at cycle times down to 1 ms. Using the Soft PLC users can collect data and pre-process in IEC 61131-3 languages or run control applications for machines.

  • Management Services comprise all features that enable users to remotely manage their fleet of devices in the field. Management Services include device monitoring, centralized logging, remote screen viewing and remote network access, which offers similar functionality to an integrated VPN.

  • Node Services are installed on Nerve Nodes and act as the counterpart to the Management Services. Node Services include the software components necessary to enable remote monitoring, logging, and remote access from the central management system. Node Services also provide the local graphical management interface (Local UI).

  • The Nerve Management System can be controlled via an API to enable automation of repetitive tasks or integration in a CI/CD pipeline.

  • The Nerve Management System User Interface provides an intuitive overview of all central Management System functions.

  • The Local User Interface provides manageability of individual nodes in case access to the central Management System is not available.

Nerve Blue Features

Nerve Blue offers a unique approach to edge software management, with features that are tailored to address real-world use cases experienced by machine-builders and plant operators.

  • A Nerve Node can run multiple workloads (applications) on one device. Workloads can be hosted as Docker containers, virtual machines and 61131-3 CODESYS applications.

    Containers as workloads

    Nerve Nodes support Docker containers as workloads. Containers run in non-privileged mode for security reasons.

    Virtual machines as workloads

    Nerve Nodes support multiple virtual machines as workloads. Existing solutions can be migrated into Nerve without requiring any modifications. Virtual machines can be created on a node, then pushed to the Workload Repository in the Management System and distributed to all nodes worldwide.

    61131-3 applications as workloads

    Nerve Nodes support CODESYS 61131-3 applications as workloads. 61131-3 applications can be programmed and tested using the CODESYS IDE on a Nerve Node, then a workload can be created and distributed to other nodes.

    Docker volumes for persistent storage

    Nerve supports named Docker volumes to provide persistent storage for applications.

    Device passthrough for virtual machines

    Devices that are connected to Nerve Nodes can be assigned and made available to Virtual Machines.

  • All workloads in the Workload Repository are available for deployment to nodes. Users can define settings, parameters and versioning for each workload.

    Container management

    Docker containers on connected nodes can be managed centrally from the Management System or locally at the edge. Docker containers can be pulled from your private registry or from Docker Hub.

    Full encapsulation of workloads

    When workloads are created, they can be fully encapsulated with all the parameters needed for installation. This ensures that software deployment is straightforward for service personnel.

    Workload versioning

    Workloads can be updated with new versions. This ensures that the Workload Repository does not get cluttered when applications are continuously improved and updated.

    Workload release

    Workload versions can be marked as released. A released workload cannot be modified. This ensures clarity about which exact configuration of a workload is deployed.

  • The Nerve Management System provides a central point for managing all connected nodes. Users can manage nodes, update firmware, monitor device status and deploy and manage workloads. It is available as a hosted service run by TTTech Industrial, or for on-premise installation.

    Device Onboarding

    Nerve Devices are securely onboarded in the Management System during the installation process.

    Device Monitoring

    Nerve displays the online status and resource consumption of devices in a user definable hierarchy.


    Nodes can be classified using labels. These can be used in combination with so-called “selectors”, ensuring that a workload can only be installed on nodes with the corresponding labels. Labels can be viewed, added, deleted and merged in the Management System.

    Firmware updates

    Nerve Node software (Base System) running on edge devices can be updated via the Management System. Nerve supports A/B updates which permit safe rollback to the previous version.

    Application life-cycle management

    Nerve enables not only the installation and deletion of applications to/from nodes, but also allows applications to be started and stopped remotely via the Management System.

    Local acknowledgment for modification of 61131-3 applications

    Nerve can be configured to require local acknowledgment for modification of 61131-3 applications. Where the integrated CODESYS Soft PLC is being used to control machine movements or critical operations, administrators can require that modifications are only made when a local user actively permits the change.

  • Nerve Data Services are a collection of integrated applications that offer data transport, analytics and visualization solutions for users.

    Data ingestion and transport

    The integrated Nerve Gateway collects and forwards data from connected devices. The CODESYS Soft PLC can also be used to connect via fieldbuses.

    Storage and visualization

    A Time-Series Database and open-source visualization system are integrated on Nerve Nodes and in the central Management System. These systems can be easily integrated with user applications running on the node.

    Controlled retention policy

    Nerve enables users to configure the retention time of the integrated Time-Series Database to ensure that storage is never filled up unintentionally.

    Data push to cloud or server

    The Nerve Gateway is freely configurable to push data to any MQTT broker or into any SQL or influxDB, even if it is outside the Nerve system.

    Analytics application integration

    Analytics applications can be run as workloads making use of the data infrastructure provided by Nerve (or other data sources if desired). The Nerve data format is open and well-documented so applications can be configured to work with the data from the integrated Time-Series Database or use the MQTT broker provided.

    Pre-configured NodeRed workload

    Nerve offers a pre-tested open-source NodeRed application, enabling graphical configuration of basic data manipulation and transfer.

    SDK for Python

    Nerve offers a Python SDK which enables users to start creating applications that can work with data provided by Nerve Data Services.

  • The Nerve Gateway collects data from various sources, normalizes it to a JSON format and pushes it to a number of data sinks for further processing. The gateway can be used to push data to the Nerve Management System or other systems.

    Gateway configuration using JSON

    The Nerve Gateway can be configured from within the Management System and the local user interface using a structured JSON format.

    Periodically triggered connection

    Gateway operation is triggered periodically (down to 1 ms cycle time).

    Modbus access

    The Nerve Gateway supports access to Modbus TCP sensors natively, without the need of using the Soft PLC as fieldbus gateway.

    S7 connection access

    The Nerve Gateway supports direct access to Siemens S7 PLCs on their S7 comm interface.

    OPC UA server connection

    The Nerve Gateway supports collection of data from OPC UA servers. The Nerve Gateway supports authentication via username/password and certificates.

    Subscription to MQTT/JSON

    The Nerve Gateway can subscribe to MQTT brokers. The data must be structured in the normalized JSON format.

    Integrated OPC UA server

    The Nerve Gateway integrates an OPC UA server which is freely configurable. This server can be used to create full-feature OPC UA interfaces to machines.

    Accurate timestamping

    The normalized JSON data format includes a timestamp. If supported by a protocol (i.e. OPC UA PubSub), the timestamp is taken from the message received by the Gateway. If the protocol does not provide timestamps, a timestamp is taken upon reception of a frame at the respective Gateway Input.

    Publish and subscribe to OPC UA Pub/Sub

    The Nerve Gateway supports the new OPC UA Pub/Sub standard


  • Nerve integrates Grafana for dashboarding on each node and in the Management System.

    Preconfigured data sources

    Nerve has preconfigured data sources for Grafana that allow data provided through the Nerve Gateway to be accessed without further configuration.

    Alarms on data

    The integrated Grafana can create various types of alarms on the data in the database. You can use this feature to notify service personnel if your configured triggers fire.

  • Nerve integrates Soft PLC that can be used to access fieldbus-level sensors and actuators. It can also be used for running machine control applications.


    The integrated CODESYS Soft PLC (Version 3.5) is fully managed and applications can be distributed to nodes via the Nerve Management System.

    1 ms cycle time

    The CODESYS Soft PLC runs down to 1 ms cycle time, taking advantage of the extraordinary computational power of Intel CPUs.

    Fieldbus Support

    The Soft PLC supports multiple fieldbus protocols. It can act as an EtherCAT master, PROFINET master and PROFINET device.

    High speed connection to influxDB

    Nerve provides a connector from the CODESYS Soft PLC directly to an influxDB Time-Series Database, optimized for high throughput. Using an Intel Atom class CPU, more than 10,000 samples per second can be pushed into the database.

    Retain variable support

    The CODESYS Soft PLC includes retain variable support. Nerve provides a library to help users with this feature.

    Dedicated fieldbus port

    Hardware permitting, Nerve supports a dedicated, high speed network port for the fieldbus connections from CODESYS.

  • Nerve includes a wealth of features to ensure that the system always operates securely and keeps production data secure.

    Simple device updates

    Firmware updates can be rolled out with the click of a button, ensuring that systems are kept up-to-date and patched.

    Separation of applications

    Workloads in Nerve run as virtual machines or Docker containers. This ensures that workloads are well isolated so that they cannot interfere with each other.

    Secure onboarding

    Nerve users and API clients are subject to Role-Based Access Control. Administrators can manage permissions in the Management System.

    Penetration testing

    Nerve has been penetration tested by Limes Security GmbH, a well-known Austrian company focusing on industrial security.

  • Nerve Nodes offer full functionality even when not connected to the Management System for whatever reason. When a node comes online, the Management System syncs to the node and recognizes any modifications made while it was disconnected.

    Disconnection from the Management System

    Devices can be disconnected from the Management System to ensure that nodes are only online when needed or to avoid unnecessary connections fees.

    Intermittent and slow connections

    Nerve is designed to deal with intermittent and slow connections. After a connection is lost, data is stored locally and synced with the Management System upon reestablishment of the connection.

    Local user interface

    Nerve provides an HTML-based local user interface to manage nodes without connection to the central Management System.

    Local workload management

    The local user interface permits adding, starting, stopping and deleting workloads just like the central management system does. A service engineer can export a workload from the management system to his laptop, take it to the node which is offline and install it through the intuitive user interface.

    Local software repository support

    For working with bad connections or working with many nodes in one network, it may be useful to run a software repository at the node. Nerve supports even that.

  • Nerve integrates a full-featured remote access system which allows users to view the screens of virtual workloads.

    Remote Tunnel (VPN)

    Remote tunneling is like a VPN, but with a narrower scope, specifically configured for one application. This ensures that specific services are only exposed through the remote tunnel, rather than to the network in general like in a VPN solution. Remote tunneling can be used to connect to a shell, a web-UI or an FTP server running in workloads or even on external devices in a node’s network.

    Configuration of remote access from within a workload

    Remote access can be configured when creating a workload in the Nerve Management System. Remote access to the workload is then available whenever it is deployed to a node. No additional configuration is necessary.

    Remote connection manager for Windows and Linux

    The Nerve Connection Manager automatically opens when starting remote tunnel access to a Nerve Node. The Connection Manager must be installed locally on a PC to use remote tunnel access. The Connection Manager is available for Windows and Debian-based Linux operating systems like Ubuntu.

    Remote screen access

    Nerve integrates a remote screen viewing solution in the Management System. It runs directly in the browser and can be used without installation of a client on a PC. Nerve supports VNC and RPD (Windows Remote Desktop Protocol) connections.

    Remote shell access

    Nerve integrates a remote shell access directly from within the browser for workloads and external devices. Alternatively, the remote tunnel feature can be used to bring the SSH connection or console port to a PC.

    Remote access to virtual machines without VNC or RDP server activated

    Nerve permits remote access to the screens of virtual machines even if they do not have a VNC or RDP server running themselves. This feature is only available for virtual machines running on Nerve Nodes. External devices still require a VNC or RDP server activated to access them.

    Accessing external devices

    Remote viewing in Nerve does not only cover access to workloads and nodes. Users can easily configure external sources for remote access, like a Windows PC running a RDP server or a device with SSH access. Nerve offers a secure hub for remote access to all devices in the machine or production network.

    Launch all remote access through a browser

    The remote access features (screen viewing, shell access, remote tunneling) are all available directly from within a browser, fully integrated in the Management System.

    Local acknowledgment for remote access

    Nerve can be configured to require local acknowledgment for remote access. If activated, a user needs to accept a request for remote access on the node. This ensures that no one sees or interferes with production.

  • Nerve includes a logging subsystem in the cloud which can capture logs from all nodes and the Management System.

    Centralized Logging

    Nerve provides logging services based on the well-known KIBANA system. All system events, node events and applications are logged centrally. Pre-configured dashboards allow users to get started quickly without prior experience of using KIBANA.

    Logging from within applications

    Nerve provides the infrastructure to log the messages and errors of your application. You just need to configure your application to log into a Linux Syslog service and Nerve will ensure your logs can be accessed centrally.

  • Nerve provides a comprehensive networking subsystem which permits users to control the connection between workloads, and from workloads to external devices.

    Configurable networking for workloads

    Nerve Nodes have pre-configured integrated networking, providing IP-level network communication between workloads and to the external networks connected to the edge device.

    Access through NAT

    Workloads can connect to virtual networks which are behind a NAT (network address translation) system that hides their internal IP address.

    Access to external ports

    Workloads can connect to virtual networks that are mapped to external ports of the edge device.

    Communicate over internal links

    Nerve provides virtual networks which are node-internal only. These can be used to communicate between individual workloads.

  • Nerve includes a Role-Based Access System to control the access for individual users to certain features of the Management System.

    Role-Based Access

    Nerve user management follows the RBAC concept. Users are assigned to roles. Roles are given rights for specific actions.

    LDAP Support

    LDAP can be used to connect the Nerve user management to a company’s active directory service. Users, their roles and their passwords are managed through LDAP. The definition of the rights for specific roles stays within Nerve.

  • Nerve can be managed through an API for automating repetitive tasks or for connecting the Nerve Management System to other systems.

    API rights

    Nerve rights management extends to the Management System API. Users can control the permissions of other software controlling the Nerve Management System through the API. For example, a script controlling the automated build process of user software could be given the rights to create a workload, but not to deploy it.

    Firewall friendly connection

    Nerve Nodes only connect to the Management System through port 443, enabling access from anywhere with https connection.

Technical Specifications

  • Base System
    • Base System
      • Linux based kernel
      • Support for Atom, Core I5 and I7 based COTS hardware (qualifi able as Nerve Devices)
    • Hardware Support
      • TTTech MFN 100, Kontron A-250/A-150, Siemens Simatic IPC 127E/427E, Vecow SPS 5600, SuperServer E100-9AP-IA / 1019D-16C-FHN13TP/ 5029C-T
    • Hypervisor
      • ACRN and KVM
    • OS Support
      • Linux and Windows (as virtual machine)
    • Soft PLC
      • CODESYS 3.5 (PROFINET Master/Slave, EtherCAT, Modbus TCP/IP), Cycle time down to 1 ms Hosted in a real-time virtual machine to ensure isolation
    • Workload Management
      • Local UI for workload management
      • Resource management to ensure application performance
    • Extensible Architecture
      • Open for integration of 3rd party software firewalls
    • Updates
      • Over-the-air updates for Base System
    • Communication Security
      • Encrypted Transport Layer Security (TLS 1.2) based communication
      • Firewall friendly - communication to the Management System uses port 443
    • Application Sandboxing
      • Applications are hosted as virtual machines and containers to maintain system separation
    • Network Segmentation
      • Configurable networking for separation of workload networks
      • Data Services
        • Database
          • Timescale Time-Series Database (optional Infl uxDB)
        • Multi Protocol Gateway
          • Graphical User Interface for configuration
          • High speed data ingestion: 100,000 data points per second
          • Accurate time-stamping at ingestion point
        • Input Protocols
          • MQTT / JSON, Modbus, Siemens S7, OPC UA Client/Server, OPC UA PubSub
        • Output Protocols
          • MQTT / JSON, OPC UA Client/Server, OPC UA PubSub,Timescale DB (SQL), Infl uxDB, Microsoft IoT Hub
          • Offline buffering and automatic synchronization
        • Data Visualization
          • Grafana locally on Nerve Device and remotely in Management System
        • Analytics
          • Python SDK and toolchain for analytics container creation
          • Analytics support built with Intel MKL and DAAL libraries
          • Output to Azure IoT Hub
          • Management System
            • Hosting
              • Hosted on Azure cloud or on-premises
            • Management System
              • Deployable as Linux Docker with browser-based GUI
              • View status of connected Nerve Devices, secure onboarding of new Nerve Devices
              • Supports low bandwidth and intermittent connections to Nerve Devices
            • Workload Management
              • Workload management (deployment and updates) remotely via Management System
              • Selective application deployment to mitigate user error
              • Workloads accessible from the external network
              • Support for local repositories (service PC or server)
            • Database
              • Timescale Time-Series Database
            • Data Visualization
              • Grafana via Data Services
            • Permission Management
              • User management via LDAP, OAuth 2.0 support
            • Remote Access
              • Remote service access (VNC, RDP, Shell), remote port tunneling (e.g. for FTP)
              • Connection via http and https proxy server in Local UI network setup
            • Logging and Monitoring
              • Centralized logging support (Elasticsearch/Kibana)
            • Alarms
              • Alarms created through Grafana (RAM, CPU, temp. status & certifi cate expiry warning)