Bitter Lessons from the ISSpresso

The Italian space agency’s official technical report on designing the ISSpresso barely masks their astronauts’ horror at the conditions they found when they first drifted aboard the International Space Station. The Americans were up there drinking instant coffee, like animali.After two years, four prototypes, and a great deal of paperwork, Lavazza and the Italian space agency sent a proper espresso machine to the ISS in 2015. On Earth, a basic Lavazza espresso maker costs about $150 and weighs 3.5 kilograms. The coffee machine’s spaceborne cousin was a 20kg box about the size of an oven. The cost to build it was not disclosed, but was likely in the single-digit millionsBehold the ISSpressoAsking how a coffee machine got to be so huge and expensive in space is a good way of understanding the cost drivers in human space flight. Espresso machines are not particularly lethal on Earth, but almost anything on the space station can kill the crew if it’s built wrong. So the ISSpresso had to prove to NASA’s satisfaction that it would not take out the station’s electrical system, interfere with the radio, leak boiling water, catch fire, dazzle the crew with bright lights, electrocute anyone, be dangerously hot, make loud noises, emit noxious gas, shatter into fragments, smell weird, or shake apart in the harsh conditions at launch. (The sharp pin that punctures the coffee capsule required a special safety waiver.)The authors of the technical paper on ISSpresso include a list of some of the NASA standards they had to comply with to get their machine certified for launch and orbital coffeemaking. These documents are not light reading. It can be tempting to dismiss them as NASA run wild, and there are certainly some requirements (like handle shape or enclosure color) that seem arbitrary. There is also a lot of bureaucratic connective tissue, like the standards for harmonizing processes between NASA and the European and Japanese space agencies, who all build their hardware to slightly different specs.But most of the technical requirements in this list have substance. They fall into a few broad categories:Making sure nothing on the payload damages the space station, either in normal operation or if something goes haywire. Lots and lots of fussiness about electrical behavior and electromagnetic interference. Consistency in interface design with other ISS hardware.

Demanding proof that the ISSpresso can take a physical beating (especially during launch), endure kicks from astronaut feet, sudden decompression to vacuum, abrupt surges or sags in voltage and water pressure, and other environmental insults. Ensuring the heating element doesn’t burn anything or set itself on fire. This is a trickier requirement in space, where air doesn’t cool things by convection.Fluid handling requirements specific to the zero g environment. The ISSpresso has to contain spills and not fill the cabin with a mist of boiling water. It also has to play nice with ISS plumbing.Astronaut-proofing the enclosure, which will inevitably be kicked and used as a handhold. This includes making sure nothing can hurt a clumsy astronaut (sharp edges, pointy switches, pinch points) or break if it’s yanked on.Proving that the ISSpresso won’t shake apart during launch or damage whatever it launches with.Antimicrobial measures for all wetted surfaces and plumbing.Basic OSHA-type stuff like noise limits.None of these requirements are frivolous, and some of them reflect dangers unique to spaceflight. If the plastic cover shatters on your espresso maker back home, you’ll be mildly inconvenienced. But if that cover shatters in space, it can pose an acute inhalation and eye hazard. The many technical requirements are enforced by the Safety Review Process, itself a highly regimented standard. The Process takes designers through a series of project milestones and official reviews that ultimately satisfy NASA that each requirement on their lists has been met. The Safety Review Process begins with a friendly chat about general design ideas, and then ratchets up in rigor and unpleasantness. By the final milestone, a NASA bureaucrat is shining a light bulb in your face and screaming at you to confess everything you know about mission risk. It’s not enough to tell NASA that you plan to put your payload on a truck and drive it to Kennedy Space Center for launch; you have to analyze the g-forces for every crane movement and specify how fast the truck will go. Any conceivable failure mode has to be identified in a Hazard Report, along with the proposed fix, and that fix has to be certified.

A helpful flowchart from a NASA safety document (SSP 52005 Revision C) showing how to handle fracture riskThere is a truism in aerospace: when you pay $500 for an aviation-certified thumbtack, what you’re really paying for is the ten binders of compliance documents, certifications, and tests that accompany it through the production process, along with a promise that someone will go to jail if any part of that process is falsified. The Process is painful, but it’s not unique to NASA. We run versions of it in aviation, military, and medical contexts, wherever human lives are at stake. It is often ridiculous and everyone hates it. But some version of it is the only way to be sure systems behave as intended. Let me illustrate this with a moving personal anecdote!I live in a solar-powered home in rural New Mexico. The house is not connected to the electrical grid; instead, power from solar panels feeds a rack of batteries, and a machine called an inverter draws power from the batteries and turns it into household current.The solar system in my home is supposed to be decoupled. One wall of the electrical closet has all the solar gear; the other has a standard junction box with circuit breakers like you find in a normal home. From the house’s perspective, alternating current flows in just like it would from a power line. And on the solar side of the system, the inverter doesn’t know or care about what’s happening inside the house. As long as the total power draw stays under a generous maximum, everything is supposed to just work.That’s the theory. But after upgrading the inverter last year, I found myself beset by electrical gremlins. A few times a day the lights would dim, and I could hear the pump in my aquarium start to make a choking noise. At those times, a display on the inverter showed the A/C voltage dipping. Sometimes the inverter would reboot, taking down power for the whole house for a minute. There was no discernible pattern in when or how often this happened. I thought I could live with the problem until it started killing my furnace. The first couple of times, the victim was a transformer, a $25 part on the circuit board that I learned to replace myself.

But the third time around, the voltage drop burned out the entire logic board, forcing an expensive repair that left me without heat for a week. At this point it was November, and heating the house had become a game of Russian roulette. I knew that every minute the furnace stayed on, a blip in the electrical system might kill it. No one I talked to could identify a cause. I had to figure out what was causing the drops in voltage before the house became unlivable. Being a software guy, I decided to try binary search. I turned off half the circuit breakers to the house one day, then the other half the next, to see which side the problem was on. Soon I had isolated it to one part of the house, and then to a single circuit in the bathroom. There I found the culprit: a Japanese shower toilet. The toilet had a small heating element that turned on and off to keep the water in the bidet attachment and seat warm. Whenever the heater came on, its modest appetite for electricity was somehow enough to destabilize the inverter, which then briefly delivered lower voltage to the entire rest of the house. While most appliances could handle these dips, the furnace could not, and died dramatically. Even though the toilet’s power demand was low, there was something about its Japanese expectations for voltage and frequency (just a little bit off the US standard) that made the American-made inverter crazy.Figuring that out took me several weeks and a few thousand dollars. My mistake was believing that the power system really was decoupled—that nothing in the house could affect things upstream of the junction box. That is what the inverter specs and circuit diagrams all said. That is what customer support told me. But it wasn’t true.Since that time, I’ve learned that small heaters (like coffee makers or kettles) can be kryptonite to an inverter, and that this is common folk knowledge among solar installers. But the consequence, that a guest can do damage to my home by plugging in a hair dryer, is still unsettling and counterintuitive.This is the class of problem all those NASA interface requirements are trying to forestall. If you’ve ever had a faulty wiring harness in your car (hello Jeep owners!) you know what a nightmare it is to try to chase down intermittent, poorly localized faults.

NASA inflicts eye-watering certification costs on itself and its partners to avoid trying to diagnose this stuff in space, where half the systems can’t be powered off, and where there’s a high chance of killing the crew if you break something.Undoubtedly, some proportion of NASA’s Safety Review Process is overkill. But even if we could cut regulatory overhead by 75%, a device like the ISSpresso would still cost a few hundred thousand dollars to develop and end up built like a tank. The blast radius of malfunctioning hardware on human-rated spacecraft is simply too big to avoid doing some version of the safety dance. This has uncomfortable consequences for space dreamers.There is a widespread belief that launch costs are what has been holding back space exploration, and a corresponding excitement now that they are dropping by a potential two orders of magnitude. Many SpaceX fans in particular believe that Starship solves every problem by being huge and cheap. And they are partially right! It would be much easier to send people to Mars on a 1200 ton rocket than to try to fit all the equipment they need into a 60 ton transit habitat engineered like a Swiss watch.1But cheap launches can’t solve the equipment problem. Ultimately, whatever we put inside the spacecraft has to work as advertised, and until we have hundreds of person-years of experience living in space habitats, the only way to guarantee that will be an expensive process of flight qualification and testing. That means future human missions to space will have the same cost profile as big space telescopes do today—a few hundred million spent to launch stuff, and billions spent inventing equipment and trying to get it to work right.A view of the impressive internal plumbing on the ISSpressoLike all our problems, this one gets worse on Mars.The defining feature of a human mission to Mars is that risks are sequential and cumulative. Every link in the chain has to go right, or the mission fails. This means early visits to Mars will have safety and reliability requirements that make the Space Station look like a middle school science fair.These requirements will be especially tight for the surface part of a mission. Any equipment that lands on Mars will have to demonstrate that it can launch from Earth, sit dormant for six months, survive entry and landing, and then work in partial gravity and dust without breaking for 17 months.