Optimal Design and Synthesis of MEA Power System Architectures Considering Reliability Specifications

Aircraft electrification requires novel designs to supply the growing demand for electric power onboard through efficient and reliable production and distribution of electrical energy. Moreover, the aircraft power system will be a key enabler for the integration of future technologies. Pledging to these intentions, we propose a formulation to synthesize a power system architecture that complies with safety specifications following a platform-based design methodology that optimizes the main aerospace drivers. Due to the nonlinear nature of the design problem, this article presents reliability-based MILP network design formulations for topology synthesis. The novelty of this approach relies on the adoption of network design optimization for MEA power system construction that allows explicit design formulations as MILP problems. This approach will provide an effective way to include safety specifications by introducing reliability and resiliency constraints.

u i j,k , u i,k Boolean that enforces disjointness on paths q for k in connection i, j and component i . s Probability of successfully reaching component i while on paths q for k. o ab,k Boolean variable to select two disjoint-path reliability for path k. γ a,b Two-disjoint path reliability coefficients. α a , β b Reliability coefficients for each disjoint path.

I. INTRODUCTION
T HE aircraft's electric power distribution system (EPDS) is a network that provides electrical power from the onboard sources (engine-driven generators, backup systems, ground supplies, and so on) to the loads. These loads comprise all of the devices or subsystems that provide essential functionality for performing a safe flight. It is expected that on the more electric aircraft (MEA), an important percentage of the power demand, including propulsion systems [1], will be fed completely by electricity [2], thus increasing the number of electrically powered devices. With the increasing trend to replace hydraulic and pneumatic systems with electromechanical counterparts onboard [3], EPDS is expected to support an extensive number of configurations based on a larger utilization of power electronics [4] for an increasing number of loads with higher power demands. Certainly, the EPDS will play a vital role in future aircraft performance and safety. Safety being the paramount attribute for airworthiness qualification in the aerospace industry, it is necessary to investigate the reliability of novel EPDS paradigms and topologies. While it is crucial to provide redundant circuits to feed critical loads when failures occur, it is also important to present an efficient and cost-effective solution. Currently, the standard defined by the aircraft manufacturers guides the conceptual design of an EPDS. This practice has led the subsystem and component suppliers to locally design through a separate optimization approach that is not necessarily optimal with respect to the EPDS network level [5]. The aim of this work is to present an optimization-based design framework that has the potential of synthesizing an MEA EPDS architecture such that it complies with a set of safety specifications to supply critical loads under failure conditions (representing a set of requirements from the standard). The performance evaluation of the potential MEA EPDS is reliability-centered (using reliability metrics for both components and system), and the selection of the optimal EPDS candidate relies on the reliability's impact on the system's weight and cost. Given recent interest in mixed-integer linear programming (MILP) techniques in other microgrids [6] and transportation electrification problems [7], [8] due to their global-optimum convergence and quicker solving times when compared with other solvers handling the hard-to-solve nonlinear version of the problem, MILP is adopted in the design framework. The proposed framework will address an investigation of reliability-based design formulations for the synthesis of MEA EPDS architectures considering the main aerospace drivers, i.e., safety, cost, weight, and efficiency. This approach pretends to the extent the few contributions available combining a design framework with MILP reliability-centered optimization. Although MILP is not necessarily unusual in the design of electrical systems in other applications, it is particularly new for the MEA application. The rest of this article is organized as follows. A literature review in the MEA EPDS design is presented in Section II. Then, Section III will introduce the EPDS design problem whilst depicting the main implications and difficulties. Later, Section IV will propose an optimization-based decomposition method to synthesize an EPDS. This is followed by a linear transformation in Section V needed for solving the problem efficiently. In Section VI, the proposed method will be used to synthesize an MEA EPDS that satisfies a set of reliability specifications; these EPDSs will be assessed in terms of the main aerospace drivers. Finally, this article will come to a conclusion in Section VII.

II. LITERATURE REVIEW
Until recently, EPDS designs were typically based on a conventional design flow with a mixture of engineering expertise, practical experience, and general logic. Due to the growth in complexity of power requirements on MEA EPDS and its multidisciplinary interactions with other aircraft's systems, the design process demands new alternatives over the intuitive expertise of designers to make the initial downselections and define a design space that is tractable [9]. Following this route, more research has been focused on the design framework proposals [10]- [13], architecture investigation and analysis [14]- [16], EPDS performance evaluation with analytical or simulation techniques [14], [17], [18], optimization-based design models [5], [19]- [21], or a combination of approaches, including some forms of design methodology, performance evaluation, and optimal selection [15], [16]. However, MEA EPDS design is still at an early stage, and few methodologies in the architecture synthesis direction have been explored.
Among the design frameworks that have been applied to the design of new MEA EPDS architectures, there are cyberphysical system [10], [22]- [24], platform-based design (PBD) [13], [25], integrated design by optimization [20], [26], and the optimization-based extended Pareto front method [5]. Several contributions have been devoted to the study of MEA EPDS as a cyber-physical system, whose concept envisions the integration of computation, communication, control, and sensing technologies [22]. With the introduction of new syntaxes [27] and domain-specific language [24] to satisfy the operational requirements of an MEA EPDS [23], the architecture design of a cyber-physical MEA EPDS is possible having developed proficiency in new methods [11], control techniques [28], toolboxes [24], [29], [30], and their integration. These techniques and tools have introduced a set of systematic steps to manage complexity and requirements satisfaction. In regards to architecture design, the cyber-physical framework shares with other frameworks a consistent use of optimization routines, with special attention to MILP [7], [10]. Given a set of functional and reliability specifications, PBD incorporates optimization, including correct by construction [31] and contract-based design [10] methods. The latter synthesizes an EPDS by iteratively solving an algorithm motivated on an MILP modulo theory [32], where the number of constraints increases on every iteration depending on the satisfaction of the reliability requirements. On the other hand, based on the impact analysis of aerospace drivers, correct by construction divides the design process into a number of abstraction levels (platforms) and refinement steps that are solved sequentially. There are as many refinement steps as the number of platforms until the latest abstraction level is close enough to the physical implementation [13]. In the case of MEA, an EPDS platform is a shared set of common design, engineering, and production efforts, as well as major components over a number of distinct models and types of MEA, often from different but the related structure (network). In addition, platforms eliminate large loop iterations and restrict the design space via new structures that provide some design potential for lower cost [33]. The number of intermediate platforms is the essence of PBD and facilitates higher level optimization. Following the spirit of PBD, this article presents a design framework that relies on an MILP reliability-based network design that holds the following: 1) ensures compliance with a set of reliability requirements by introducing reliability performance constraints in the MILP optimization, that is, performance evaluation is included as design conditions; 2) searches over a design space determined by a set of functional (operational) constraints and major components in order to reach a high-level optimum, that is, system's investigation and analysis is performed during the optimization itself; 3) reduces the necessity of integrating several computational toolboxes and other analytical resources to search the design space and produce an MEA EPDS architecture.
The key EPDS components that define an MEA platform include generation system, power distribution system, and electrical loads. Depending on their desired performance under several conditions (e.g., overloads and harmonics content), sizing of the EPDS components requires some iterations within the aerospace system engineering. The method proposed could potentially mitigate the number of these iterations through earlier abstraction of functionalities (via constraint additions), thus leading to an accelerated design by identification of optimal options. Recent reports have investigated the selection of optimal MEA EPDS [16], [34]- [37], while others have highlighted the importance of architecture synthesis through optimization of reliability, weight, and cost [4], [20], [38]- [40]. For the purpose of assessing reliability, it is vital to translate the safety specifications into a precise set of reliability constraints that accomplish the expected performance. In a previous investigation [41], a reliability approach for the MEA EPDS design was explicitly formulated as an optimization problem with reliability constraints. Essentially, critical loads that are crucial for flight tasks must be powered at all times and must have alternative power supply routes in case of failure events in EPDS components. This feature has been extensively studied in network design [42]- [48]. In order to increase reliability, the designer allocates enough spare capacity such that there are sufficient backup routes to deliver power to prevent critical loads from suffering a power interruption. Therefore, network design techniques can then contribute to efficiently modeling and solving an optimization problem for the MEA EPDS synthesis. It is also possible to improve reliability by considering disjoint paths for power delivery [48] so that the supply on critical loads is not interrupted after the failure occurs on an active path. An EPDS can also be designed to ensure power availability on critical loads in the event of component failures [45], connection failures [47], or general failure scenarios [46]. In this case, the system is said to be resistant to failure or resilient [47]. Also, when critical loads are still powered and an EPDS is able to perform its function under a failure scenario, the system is said to be survivable [46]. Resiliency will be modeled within the design formulations in order to achieve high power availability.

III. AIRCRAFT POWER SYSTEM DESIGN FRAMEWORK
An MEA EPDS generates and distributes electrical power onboard. The design of such an EPDS has a large number of degrees of freedom. For instance, given a certain MEA application, several design requirements on physical implementation arise: number of power sources, type of power generation, power train configurations, number of different voltage levels, operational values for the different voltage levels, type of distribution (radial, ring, primary and secondary, and so on), number and type of power converters, technology for power conversion, power conversion switching frequencies, and many other factors that are also related to EPDS's performance (e.g., transient dynamics response and harmonic content). Certainly, the solution to this design problem is far from trivial (design challenge). Even if a design formulation could be produced, its search space will be prohibitively large due to a combinatorial explosion between all of the technical and economic factors influencing the EPDS's construction, which will make finding an optimum extremely hard. Thus, it is necessary to adopt a design framework that allows efficient design-space exploration and optimum identification and selection.

A. MEA EPDS Design Challenge
In the construction of an MEA EPDS, it is necessary to optimize weight (at minimum cost) while maximizing efficiency and reliability; hence, it can be a multiobjective problem. The system's reliability is determined by the availability of electrical power at the load's terminals. This reliability is enhanced by establishing alternative power paths to make the system resilient and supply critical loads at all times (noncritical loads can be shed if required), which introduces a combinatorial process in the problem formulation. Besides, onboard power generation is usually sized according to the maximum load demand and resiliency to failure of one power source, but sizing could include temporal overloads, demand profiles (data models), dynamic response and stability, and so on, which introduces interaction of other phenomena and disciplines in the problem. Considering that generator's weight and efficiency are only influenced by its size, as shown in Fig. 1 [49], these characteristics become conflicting optimization objectives: larger but lighter generators could run inefficiently most of the time if compared with a heavier system of several generators running either at maximum efficiency or turned off.
Later, the power distribution network should provide several alternate paths to ensure power availability to the loads, which is finally an MEA EPDS resilient architecture. On top of previous complications to formulate the design problem, there is the main difficulty in synthesizing such an EPDS: assessing its reliability is a hard problem to solve. In fact, the EPDS reliability depends on the number of all the possible ways to supply the loads. For example, given the simple EPDS architecture shown in Fig. 1, if both loads were critical, a reliability evaluation technique, such as the path-tracing method, would deal with a number of n L = 16 possible paths to supply the loads [n: ways to supply loads and L: number of loads]. If n = 6 and L = 8 (not even a medium sized system yet), an exhaustive evaluation would explore more than 1.5 million combinations! To overcome this, the design framework proposed introduces resiliency characteristics (alternative paths), which prevents combinatorial explosion. To the best of our knowledge, similar approaches have not been applied to the MEA EPDS architecture synthesis application.

B. MEA EPDS Design Framework
We aim to construct an MEA EPDS that is able to satisfy the demand of a predetermined group of electrically driven loads even under component-failure conditions. In general, the EPDS can be built by selecting and connecting a group of power generation and distribution components (topology synthesis). Given a set of power sources (e.g., generators, batteries, and energy storage systems) and distribution components (e.g., rectification or inversion units, transformers, cycloconverters, and buses), the problem is to determine which power sources should supply which loads through which distribution devices, such that all loads are supplied at the reliability level required. Hence, EPDS design requires a selection process to decide which components are required, e.g., by adopting a set of the Boolean values (0 or 1) to include or not each component/connection in the EPDS. Beyond these selection variables, other decision variables might be used to decide over continuous parameters (sizing), e.g., nominal rating of power sources and converters and power supplied by generators and converters. Commonly, EPDS design requires the definition a priori of certain application-dependent aspects that will limit the search space to some extent. This delimitation will confine components into a library (template or graph) from which a number of components and feasible connections between them will be chosen. This library constitutes the platform of the corresponding abstraction level.
In this article, the MEA EPDS design space is explored by evaluating the four main aerospace industry drivers (which are also design variables), i.e., cost C, weight W , efficiency η, and reliability r . To do so, it is compelling to observe the following relations between C, W, η, and r in the aircraft industry [31].
1) The number of generators and their power ratings drives the tradeoff between cost and efficiency.
2) The reliability performance of the EPDS is assessed as the availability of power at loads' terminals.
3) The cost of power distribution is driven by the generator-load combination and the topology of the EPDS. 4) The weight of the power conversion is driven by a power density (kW/kg) and the amount of power to convert; thus, it is independent of the generator-load combination.
The abovementioned points represent the insights to redefine the MEA EPDS design. Given these insights, EPDS generation and distribution are amenable to be designed sequentially by adopting a PBD-inspired methodology. Through a series of refinement steps between abstracted platforms, PBD can implement an MEA EPDS architecture [50]. The proposed framework is depicted in Fig. 2, where the MEA design challenge (left) is undertaken by the design framework proposed (right) with the help of the aircraft industry's insights. The resultant platform is a synthesized MEA EPDS architecture.
The design exercise starts with a set of design specifications and requirements. After abstracting the intermediate platforms based on the aerospace industry insights and the disruptive platforms envisioned for MEA [2], [4], [16], [51] (see Fig. 2, Power Generation System or Platform A, and Distribution System Or Platform B), an MEA EPDS architecture can be synthesized (Platform C). Each refinement step between any two platforms demands a reliability-based design optimization to ensure performance compliance at an optimum C, W, η and r . The Power Generation System platform (Platform A) solves for the optimal amount, size, and assignment of generated power to the loads (load allocation). This platform uses some abstraction from the distribution system (Platform B) to provide a generator-load path. Then, the Distribution System (Platform B) is refined into an optimal EPDS network that finally forms, with the optimal power generation system of Platform A, the MEA ARCHITECTURE or Platform C. This architecture can be consecutively refined until the MEA EPDS can be implemented on a real MEA aircraft. However, the final implementation is out of the scope of this article. Whenever the design specifications change, it is possible to adapt the proposed framework with new constraints or intermediate abstractions so that it can fit in the aerospace system design iterations. The refinement between Platforms A and B is known as generator selection and generator-load pairing (GS&GLP step), and the refinement between Platform B and C is known as power distribution design (PDD step). The former, explained in Section IV-B, will determine the number of generators, their ratings, and the generator-load pairs arrangement, while the latter, detailed in Section IV-C, builds an EPDS topology with the previous step's solution [31].

IV. FORMULATION FOR THE DESIGN OF AIRCRAFT POWER SYSTEM
The MEA EPDS architecture (Platform C in Fig. 2) consists of a group of interconnected generators and distribution components that supply power to the loads through several paths to provide resiliency. Synthesizing such an EPDS from scratch requires the utilization of decision variables to select and determine a series of parameters to allow generation and distribution.
Concerning the selection process, the Boolean decision variables (1 if selected; 0 otherwise) will determine which components or connections are selected. For example, a binary variable g j (0 for no, 1 for yes) can determine whether generator s is selected, and the existence of a connection from i to j can be determined by a binary variable y i j (or y ji for the reverse connection, set to 1 if the connection exists, or 0 otherwise), and similarly with the rest of the distribution components. On the other hand, continuous decision variables could be used to determine the system's performance, i.e., cost C, weight W , efficiency η, reliability r , and other parameters, i.e., power flow P i j over connection y i j , and so on. In some cases, these performance indicators and parameters are functions of decision variables, e.g., cost C could be a function of g j , y i j , r , and P i j , weight W might be the function of g j , y i j , and P i j , and generation efficiency may be a function of power rating, loading, and so on. In most cases, these functions are nonlinear (see η in Fig. 1) or deserve a time-consuming evaluation (as in the case of the system's reliability, see Fig. 1). A general formulation that pursues a design goal may include: 1) optimization of C, W, η, and r ; 2) power balance; and 3) achievement of a certain reliability target. This formulation is compactly written in the following: The optimization goals in (1.1) are conflicting, and the reliability in (1.3) depends on the specific combination of system components chosen and the way in which they are arranged, which is a huge number of combinations. Given the difficulties in solving formulation (1.1)-(1.3), the design framework in Fig. 2 is applied.

A. Generator Selection and Generator-Load Pairing Step
The GS&GLP step attempts to select a number of generators, determine their ratings (sizing), and allocate a set of loads to each generator, i.e., produce a set of the generator-load pairs that meet the loads' demand and reliability requirements. An example of such an assignment is shown in Fig. 3. From a library of available generators and feasible connections forming a template in Fig. 3 (Platform A in Fig. 2), the GS&GLP step produces the solution shown in Fig. 3 (the optimum of the first refinement step); a template is a graph G = {g, E}, where g is the set of generators (1-4 in this case) and E is the set of generator-load connections (1 to {L 1 , L 2 }, 2 to {L 1 , L 3 }, and so on) that are referred as distribution paths for the rest of this article. These distribution paths will be later refined in the PDD step.
The GS&GLP problem can be formulated as the minimization of all w s (weight of generator s) and the maximization of all η s (efficiency of generator s). It will be assumed that the cost is directly proportional to weight; hence, weight minimization is equivalent to cost minimization (C ∝ W ). Let the selection of a generator s be performed using a Boolean g s (1 if s is selected, 0 if not). Also, let this generator have a power rating P G s and be connected to a load l with demand L l ; the connection between generator s and load l can be represented by Boolean y sl (1 if connection exists, 0 if not). The total power supplied by generator s is s L l y sl , and its loading factor β s is s L l y sl /P G s . Recalling that w s can be considered as a function of P G s and nominal speed (RPM), and that η s can be expressed as a function of P s and β s (see Fig. 1); then, the GS&GLP problem can be written as in (2.1). The product of w s and η s by g s in (2.1) allows to set weight and efficiency of generator s to 0 when it is not selected The result of (2.1) comprises the selection of generators g s , their power ratings P G s , and the generator-load pairs y sl (or distribution paths). In specific applications, several technical aspects are decided a priori, e.g., operating speed, type of electrical machines (e.g., PMSM), geared or nongeared powertrain, and the maximum number of generators. Along with (2.1), a set of connectivity and reliability constraints are included. Connectivity ensures power balance, as in (1.2). The reliability constraints ensure the required power availability at load terminals. An EPDS's reliability will depend on the reliabilities of the generators (r s ) and the reliability of the distribution paths. The former is frequently available from manufacturers' datasheets. However, the latter is unknown at this stage. To overcome this uncertainty, the distribution system will be depicted as a virtual system V S (containing the set of y sl distribution paths) whose reliability r V S can now be specified in three ways: 1) as a lower boundary r V S (a minimum reliability will be assumed to be achievable in the PDD step); 2) as a single variable r V S ; or 3) as a set of variables r sl (one for each y sl ). In any case, for a load connected to a generator s, the reliability can be written as in the following equation: The left-hand side of (2.2) is the reliability of a series system assuming independent components' reliabilities. Furthermore, a load that is connected to different generators through independent paths would be powered unless all generators/paths fail, a probability that can be expressed as in the following equation: That is, (2.3) is the reliability of a parallel-series system. The optimal solution for the GS&GLP comprises the following: 1) a group of selected generators (⊆ ) with their corresponding ratings P G s ; 2) a set K containing the group of selected connections y sl (each y sl supplies load l from generator s), i.e., K = {k 1 , k 2 , . . .} for which y sl = 1, where k represents a selected distribution path y sl , and K ⊆ E; 3) the reliability of the distribution system, either as r V S , r V S , or a set of r sl (one per selected y sl ). The optimal GS&GLP solution is used in the PDD step (next refinement step), explained in the following.

B. Power Distribution Design Step
Considering the synthesized optimal power generation system (Platform A in Fig. 2) from the previous GS&GLP refinement step, the PDD step attempts to find a topology for the MEA EPDS such that the resultant platform is the MEA EPS architecture (Platform C in Fig. 2), which is the object of investigation in this article. Hence, PDD selects a group of distribution components and connections to construct or refine the distribution paths of the GS&GLP step. The PDD problem can also be formulated as (1.1). Following the C ∝ W assumption, PDD refinement step can be expressed as a cost minimization problem subject to connectivity and reliability constraints.
Consider a template represented with a graph G = {N , A}, where N is a set of distribution devices (converters, buses, and so on) and A is a set of connections (conductors, contactors, and so on) between components in N (see Fig. 4). Let a connection between components i, j exist if a Boolean x i j is set. Also, let a component i be selected if a Boolean v i is set. The distribution system's total cost comprises a fixed cost (e.g., installation cost) and a variable cost that depends on the amount of power transferred. Let x i j have a fixed cost c i j , a variable cost c kW i j , and a power flow P i j that is the summation of all existing power flows P i j,k per distribution path k, i.e., P i j = k∈K P i j,k . Similarly, let v i have a fixed cost m i , a variable cost m kW i , and a power flow P i , which is the summation of all transferred power flows P i,k per distribution path k, i.e., P i = k∈K P i,k . The distribution system's fixed cost is the summation of all the connection's c i j x i j and all the component's m i v i fixed costs. The variable cost is proportional to the amount of power transferred through connections (P i j ) and components (P i ), k∈K P i j,k , and k∈K P i,k , respectively. Hence, the variable cost for connections is c kW i j ( k∈K P i j,k ), and the variable cost for components is m kW i ( k∈K P i,k ). Then, the total cost of the distribution system can be written as follows: P i,k can be defined as the summation of all the power from incoming (or outgoing) connections, i.e., P i,k = P i,k so that all connections and components' power flows can be represented with P i j,k flows. The reader can refer to Fig. 4 for the relations between P i j , P i , P i j,k , P i,k , and the distribution path k. The variable cost can be thought of a proportional cost that depends on the size of the system (which depends on the amount of power transferred). Therefore, connections and components are sized accordingly (e.g., conductor gauge, converter size). Alternatively, c i j can include both component cost and connection cost, thus eliminating the m i v i term in (3.1). This simplification is viable when modularity is required, e.g., the addition of customized converters with swappable boards whose number of boards depends on the power requirements, bus-bars systems, and so on.
Following (1.1), efficiency might be included in (3.1). The EPDS distribution's efficiency depends mainly on the type of power conversion technology and other implementation factors, e.g., equipment location and load type. In the PDD platform, the power conversion functional model relies on the voltage step-up/down for a certain power transmission whose weight depends on a power density figure. Further refinement steps are needed so that the abstraction of efficiency-related functional specifications are possible and power conversion topologies are explored [52]; hence, the efficiency is deferred for future research works. A group of constraints on connectivity, flow balance (1.2), and reliability are added to (3.1).
Assuming independent failure events, with r i j denoting the reliability of the i, j connection and r i the reliability of component i , the k distribution path's reliability is the reliability of a series system ⎛ 2) contains of all the components and connections that form the path k. The reliability target r TARGET,k of the distribution path k in (3.2) must match the reliability of the distribution system found in the GS&GLP step, that is, r TARGET,k (equal to r V S , r V S , or r sl ). If (3.2) is unable to meet r TARGET,k , an expression to allow alternative paths is required. The addition of alternate paths increases the system's reliability and incorporates resiliency in the EPDS. Considering a number of w alternate independent paths that connect the generator and load of the distribution path k, the reliability can be calculated as the left-hand side of (3.3), which must exceed some minimum value r TARGET,k The higher the number of alternative paths, the higher reliability is obtained, at the cost of increasing the size of the system. Hence, there is a compromise between reliability, cost, and weight in the PDD step that leads to a tradeoff. The number of alternate routes can be determined either by strengthening the EPDS for a set of failure scenarios, e.g., prepare for all single-component failures, or building disjoint alternative paths [48], [53] for powering critical loads. While the former requires the incorporation of a failure set, the intention of the latter is to increase the probability that at least one path delivers power to critical loads. Thus, the reliability constraints in (3.2) and (3.3) will be reformulated to perform a reliabilitybased or resilient network design. The resilient network design aims to synthesize a resilient EPDS architecture and could be used for obtaining the tradeoff between reliability, cost, and weight.
Summarizing this section, a PBD-inspired design framework is used to solve (1.1)-(1.3) in two steps: GS&GLP (2.1)-(2.3) and a PDD (3.1)-(3.3). The formulations given for the GS&GLP and PDD refinement steps are nonlinear and hard to solve. Therefore, in Section V, we propose a linear transformation (linearization) to produce an MILP formulation that can be solved in polynomial time (in terms of the number of variables and constraints) by an MILP solver to reach guaranteed optimality.

V. LINEAR TRANSFORMATION OF EPDS DESIGN
In order to avoid the use of heuristic techniques [48], [53], decrease the optimization complexity, and utilize an off-the-shelf MILP-solver, linearization techniques based on discretization, piecewise linear functions, and other equivalent linear models are used to solve the nonlinear formulations in the GS&GLP and PDD refinement steps.

A. Generator Selection and Generator Load Pairing
The GS&GLP problem in (2.1) is nonlinear and multiobjective: total weight minimization and efficiency maximization for each generator. One alternative to linearize (2.1) consists of reformulating it as a linear combination of objectives. In this case, each objective has importance determined by coefficients a 1 , a 2 ,…, a n . In addition, efficiency η s is expressed in terms of losses (η LOSS s ) to allow the optimizer to minimize total generation losses; the reader is referred to the Appendix for obtaining η LOSS (the optimizer will search over a finite set of values). An advantage of discretizing w s is that commercial values (discrete generator sizes) could be used. In discretization, only one of the possible values must be selected (unique value). Let a Boolean u sh select a unique value for the power rating P G h and weight w h of generator s, and let another Boolean z sb select a unique generation loss η LOSS hb and supply powerP G hb that correspond to the selected P G h . In this case, h u sh = 1 and h b z shb = 1 so that generator s has only one value on each of its parameters can also be approximated by piecewise linear (PWL) functions. PWL places a linear segment between a pair of discrete values; thus, the optimal solution can take intermediate values. Solvers could handle convex functions (w s , η LOSS s ) with less work than nonconvex functions (convexity is a degree of the function's curvature and discontinuity). Now, connectivity and reliability constraints will be added to (4.2). Each generator must have a unique rating (or power rating = 0 if the generator is not chosen); then h u sh ≤ 1 ∀s.  A load l can be connected to generator s only if that generator is selected as follows: (4.5) The total load power cannot exceed the selected generator rating P G h for any generator (4.6); similarly, the total load power cannot exceed the generator's supply powerP G hb (considering losses) ( Note that the supply powerP G hb depends on β s . Finally, (4.8) ensures that each load is connected at least to one generator s y sl ≥ 1 ∀l. (4.8) The reliability constraints in (2.2) and (2.3) are now linearized. By taking the logarithm of the product in (2.2) and (2.3), a summation results. Then, this summation is a linear reliability constraint that can be solved in two ways depending on the value of the distribution system's reliability. Recalling that the distribution system's topology is unknown at this stage, its reliability can be assumed to be r V S (achievable lower boundary), or it can be introduced as a variable (single variable r V S for the whole distribution system, or set of variables r sl for each distribution path) [8]. For the former, the reliability constraint is written as follows: where r TARGET,l is the reliability target for load l. Note that each term ln(1 − r V S r s ) is constant; therefore, (4.9) is linear. For the latter, the reliability of the distribution system (r V S , or the set r sl ) replaces r V S in (4.9). However, this reliability is now a variable that falls inside the logarithm and requires further linearization (a variable inside a logarithm is a nonlinear expression). Similar to w s and η LOSS s , we can discretize y sl ln(1 − r V S r s ) into a set of possible reliability values r E so (subscript o accounts for the discretized values of ln(1 − r V S r s )). Then, (4.10) and (4.11) are the reliability constraints when the reliability of the distribution system is a variable. In (4.10), only one reliability will be selected by setting a Boolean r S slo , such that o r S slo = 1 if y sl is selected, otherwise 0. Finally, (4.11) ensures that at least r TARGET,l is achieved on each load l, allowing it to be connected to multiple generators o r S slo ≤ y sl ∀s ∀ l (4.10) s o r E so r S slo ≤ ln(1 − r TARGET,l ) ∀l. Summarizing the linearization of the GS&GLP step, (2.1) is converted into the linear combination of objectives of (4.1). Because (4.1) is still nonlinear due to the product of variables, it is linearized by using discretization in (4.2). The constraints (4.3)-(4.8) are linear and ensure the connectivity between generators and loads. Finally, the reliability constraints in (2.2) and (2.3) are linearized to (4.9) if the distribution system's reliability is assumed as a lower boundary or (4.10) and (4.11) if the distribution system's reliability is a variable to solve for. Constraints (4.9)-(4.11) allow a load l to be supplied by multiple generators, thus providing resiliency when a generator fails. In Section V-B, the linearization of the formulations in the PDD step will be detailed.

B. Power Distribution Design
The PDD's objective in (3.1) is already linear, so the connectivity and reliability constraints can be considered. Power flow balance is enforced on every component i ∈ N by summing all incoming and outgoing power flows with its own generation power and load demand (if they exist). Incoming flows and load demand are considered positive, while outgoing flows and generation power are considered negative. Given the solution of the GS&GLP step, each distribution path k will have to satisfy the load demand d LOAD For any components i, j , the power flow P k i j flows in the i → j direction. However, it is possible to have flow in opposite direction by defining two variables for the same connection between i, j (such that only one can be positive at once), allowing power flow to be reversed, e.g., recovering energy in regeneration modes. The connection from i to j can only be selected if these components have both been selected; then Constraints (5.4) and (5.5) ensure that power P i j,k through any connection i, j and power through any component i can only flow if the connection x i j or component x i has been selected. For the rest of this article, the required flow along the distribution path k is d k , such that d k = |d LOAD k |, for notation simplicity The reliability constraint for the distribution system in (3.2) contains products and is nonlinear; thus, logarithms can be used for linearization. Constraint (3.2) also requires a subset of connections and components to form the distribution path k. Due to the fact that connection x i j and component x i can be used for more than one distribution path k, Boolean variables z i j,k and z i,k are used to determine if x i j and x i are being used for distribution path k once the connection x i j and component x i have been selected, respectively. Then Similar to (5.4) and (5.5), constraints (5.8) and (5.9) enforce no power flow (related to distribution path k) in component i or connection i, j if the component and connection have not been reserved for that distribution path k; hence Now, assuming a single path (series system), the reliability constraint in (3.2) can be linearized as in (5.10) by taking the natural logarithm of both sides. The reliability of each distribution path k must be at least equal to the reliability target r TARGET,k The PDD nonlinear formulation of (3.1) and (3.2) has been converted into an MILP formulation in (3.1), (5.1), and (5.12). Other constraints can be added to this MILP formulation to satisfy specific needs, e.g., restrict components' power or cable sizes [44]. Given that (5.10) assumes a series system (single path) for the distribution path k, resiliency formulations will be introduced in order to provide multiple paths, as proposed in (3.3). These approaches are known as resilient network designs [47].

1) Resilient Design for a Set of Failure Scenarios:
If a failure event occurs in any component i of the distribution path k, the single path breaks, the critical load is disconnected, and the reliability in (5.10) is no longer preserved. Therefore, a resilient design that produces a failure resistant system is required. Let F be the set of failure scenarios comprising connection failures [47] and/or component failures [46] that the system is expected to survive. The EPDS must continue supplying critical loads if any of the failure scenarios of the set F occurs (failure events in F are assumed to be independent). Hence, the flow balance in (5.1) applies to every failure scenario. The connection flow P i j,k is now the maximum of all the power flows existing on every failure scenario of the set F, i.e., P i j,k = max P i j,k , where P i j,k is the flow on connection i, j for the failure scenario and distribution path k. Considering the set F of failure scenarios, the flow balance can be written as Finally, the constraint for P i j,k (maximum of all P i j,k ) is (6.3), and integrality on the Boolean variables can be written in (6.4) The resilient network design for a set of failure scenarios is the MILP formulation [see (3.1) and (6.1)-(6.4)]. It is possible to consider component selection by adding (5.2)-(5.5) and (5.11). Although the determination of an exhaustive failure set (all possible failures) could be cumbersome because of the large number of components/connections and simultaneous failure combinations, it is possible to determine a partial failure set, e.g., a limited number of hazardous events that could compromise critical functions. At this point, it might be desirable to have an alternative if no set F of failure scenarios could be determined. This situation could be found when considering disruptive designs with experimental technologies. In these cases, there is limited information on the failure modes of the system because technology can be at the prototype level (likely to happen in MEA). Hence, in addition to the resilient design for failure scenarios, a two-disjoint path formulation will be introduced.

2) Resilient Design With Two-Disjoint Paths:
The distribution path k has an alternate path to transfer power flow if there is a failure on any component/connection that interrupts the power supply. In this case, both paths are considered disjoint because the failure in one of them must not limit the capacity of the other. It is possible that the alternate path supplies power from a different generator or power source (auxiliary unit, storage device, and so on). In most cases, both paths do not share the same components and connections in order to manage failures on any component of the first (or second) path. This approach is known as the two-disjoint path problem [53]. Disjointness refers to the use of different connections and components for each path, such that the probability that at least one path survives is increased.
Let q be the disjoint-path index, i.e., q ∈ {1, 2}. When connection i, j is selected, it can either allow power flow for the first or the second disjoint path; thus, P 1b) The Boolean Ù i j,k reserves power flow P q i j,k for disjoint path 1 or 2 only (not both) because either Ù i j,k = 0 or 1 − Ù i j,k = 0. Similarly, component disjointness can be established as follows: The Boolean Ù i,k reserves component's power flow for disjoint path 1 or 2 (not both) because either Ù i,k = 0 or 1 − Ù i,k = 0. Now, the power flow balance must be established for every disjoint path q; thus, it can be written as follows: is allowed to flow on either disjoint path according to the following equation: The integrality constraints on the Boolean Ù i j,k and Ù i,k are shown as follows: The reliability of two disjoint paths can be obtained using the probability of the occurrence of any two events, that is, P(a ∪b) = P(a)+ P(b)− P(a ∩b), and for independent events P(a ∩ b) = P(a)P(b). Let r q k be the reliability of the disjoint path q; then, the probability that at least one path survives must at least reach target r TARGET,k r q=1 k + r q=2 k − r q=1 k r q=2 k ≥r TARGET,k ∀k ∈ K . (7.6) For the calculation of each disjoint-path's reliability r q k , (5.10) suffices (reliability of a single path, series system). Considering (5.10), the product of the disjoint-paths' reliabilities in (7.6) produces an extensive series of products between variables. In order to avoid performing linearization on each of these products, a simpler approach to represent the disjointpath's reliability is introduced. Let a set of variables ê q i,k be defined as the probability of power successfully reaching component i (starting at the generator) when component i is reserved for disjoint path q (recall that distribution path k consists of two disjoint paths). Then, ê q i,k is If component i is selected, Ù i j,k = 1 and ê q j,k ≤ r i j r i s q i,k ; otherwise (7.7) relaxes ê q j,k to an arbitrary value if component i is not selected, i.e., Ù i j,k = 0. For the generators, ê q j,k is ê q GEN,k = 1 ∀k ∈ K , q ∈ {1, 2}.
(7.8) When (7.7) is applied to the load of the distribution path k, ê q j,k is the probability of successfully reaching the load, and s q j,k can be written as ê q LOAD,k . Then, ê q LOAD,k is the reliability of the disjoint path q so that ê q LOAD,k = r q k . Now, considering the variables ê q LOAD,k , the constraint on the reliability of the two disjoint paths (7.6) can be rewritten as follows: The values of ê q=1 LOAD,k and ê q=2 LOAD,k in (7.9) could be identical. This could originate an algorithmic issue known as symmetry problem, which can produce high computational effort during MILP optimization. To break the potential symmetry problem in (7.9), an additional constraint is introduced to speed up MILP optimization ê q=1 LOAD,k ≥ ê q=2 LOAD,k ∀k ∈ K . (7.10) With this approach, only one product in (7.9) requires linearization [unlike the extensive series of products in (7.6)]. An alternative to the linearization of ê q=1 LOAD,k ê q=2 LOAD,k is to express (7.9) as a group of linear constraints that select a value for the left-hand side of (7.9) directly. Allow each ê q LOAD,k to be discretized in a vector containing the disjoint-path' reliability values, i.e., α = [α 1 . . . α a ] and β = [β 1 . . . β b ] for q = 1 and q = 2, respectively. Also, allow a matrix [a × b] to have elements γ a,b such that γ a,b = α a + β b − α a β b . Let a Boolean Ó ab,k select a unique value for γ a,b ;l then, constraint (8.1) ensures that only one element γ a,b from the matrix is selected The two-path reliability constraint in (7.9) can be written as a b γ a,b Ó ab,k ≥r TARGET,k ∀k ∈ K .
A condition for (8.1) and (8.2) is that a unique value for each disjoint path's reliability (α a and β b ) must be selected. For the disjoint path q = 1, such a condition can be written as follows: A similar constraint for q = 2 can be written by replacing α a with β b and ê q=1 LOAD,k with ê q=2 LOAD,k ; α a−1 and α a+1 act as upper and lower values for α a . A drawback of this approach is the large number of Ó ab,k variables if higher accuracy were required. In (8.2), γ a,b could be stuck around r TARGET,k even when the disjoint paths' reliabilities are higher. To prevent this, an additional term in the optimization objective is needed to push ê q LOAD,k to its actual value. This term should be comparatively small with respect to the total cost to avoid biasing cost optimization. Then 3) Briefing of the MILP Resilient Design Formulations: This section concludes the MILP reliability-based network design formulations for the synthesis of MEA EPDS architectures following a PBD-inspired framework. The EPDS design has been split into two steps: GS&GLP and PDD. In the GS&GLP, a group of power sources or generators are selected, sized, and assigned to the loads. Then, this optimum is used to synthesize a topology for the EPDS in the PDD step. In order to increase power availability in the loads, resiliency was introduced in the MILP formulations of GS&GLP and PDD. In PDD, resiliency was appointed by designing an EPDS that tolerates the occurrence of failures, either by preparing the system for a set of predefined failure scenarios or providing two-disjoint paths for every distribution path. Specialized MILP solver packages will be used shortly to synthesize an MEA EPDS architecture in the case study of Section VI.

VI. CASE STUDY
The purpose of this case study is to exemplify the design framework presented in Section III by applying the reliabilitybased MILP formulations of Section V in the synthesis of an MEA EPDS architecture. Although there is an important number of MEA applications (electric propulsion, turboelectric, and so on) and EPDS network structures (dc, ac, ac & dc, single bus, ring, and so on), we provide a complete design assessment for a small-aircraft MEA dc EPDS architecture so that the designer can perceive the potential of our design framework proposal for wider applications. The technical considerations for the MEA EPDS design are detailed in the following.
1) The MEA EPDS structure will be based on a dc network with two voltage levels: a high-voltage (HV) level and a low-voltage (LV) level, because there are HV and LV loads. In its simplest structure, there are a number of source matrix contactor buses (bus bars) that distribute generation power, a number of power converters to transform power from HV to LV power, and a number of LV buses. This network structure has been studied in several publications as promising MEA EPDS [4], [16], [54]. Hence, following the design framework presented in this article, the templates G = { , E} for the GS&GLP step and G = {N , A} for the PDD step are shown in Fig. 5. 2) A PMSM generator with a power density of 7.0 kW/kg is assumed to be available. This assumption is in accordance with the expected technology for low-carbon MEA propulsion [55]. The number of generators will be arbitrarily limited to 5, considering the possibility of multiple small generators.  3) A power density of 6.7 kW/kg will be used for power electronic conversion [55] (assuming that high-powerdensity SiC-based power electronics technology is available). The weight of power conversion is assumed to be proportional to the power flow transferred, and this flow is assumed to be proportional to the cost. 4) The case study is solved using a Windows High Spec PC Intel Xeon 64-bit 3.60-GHz running CPLEX Studio IDE 12.9.0 [56]. The MEA EPDS supplies power to a group of four loads; the total demand is 125 kW. The loads' requirements (power demands and reliabilities) are shown in Table I. This table is part of the initial design requirements. The reliability target is expressed as a probability, e.g., load L 1 requires to be supplied (with generation power) with a probability of at least 1 − (1 × 10 −9 ). Loads L 1 -L 3 are LV dc (LV), and L 4 is the only HV dc load (HV).
The reliability targets in Table I are accompanied by a set of functional specifications, in this case, resiliency requirements. In addition to setting L 1 as the only critical load because it has the lowest probability of failure (of not being supplied) and determines the optimal MEA EPDS architecture for this application, we propose an extended set of resiliency requirements in Table II to illustrate the potential of the design framework.
There are 13 additional scenarios to the single-path formulation (Scenario 1). Scenarios 2-7 require some loads to be critical and the distribution system to be resilient over a set of failures, e.g., Scenario 4 defines loads 1 and 3 as critical, and its EPDS must be prepared for single failures in any power converter or LV buses. In the case of Scenario 5, N − 1 means that the EPDS is resilient under any single failure of any component. Likewise, scenarios 8-14 require some loads to be critical, but, for those critical loads, there will be two-disjoint paths to be supplied, while the noncritical loads are supplied through single paths. The MILP optimization objective and constraints in Table II refer to the optimization formulations of the PDD step. To begin with, the GS&GLP step is performed shortly.

A. Generator Selection and Generator-Load Pairing
The generator's rating power is in the range 25-150 kW (a small aircraft has ∼300 kW per engine), and its loading will be restricted to 40% minimum to avoid very low efficiencies. The weight of the generators is inversely proportional to the power density; then w s ∝ (1)/(7 kW/kg) or w s ∝ 0.1428P G s . An efficiency function η s relating power rating P G s and loading β s is approximated to be able to select generators of different sizes and loadings. The generator's cost to weight ratio is 870$/kg, and reliability of 1 − 1.0 × 10 −5 is considered for all the generators. The power distribution reliability is considered to be in the range of 0.9000-0.9997. The power generation system design specifications for the GS&GLP step (generation system platform abstraction) are tabulated in Table III.
The optimization selects a group of generators (with minimum weight and losses) such that connectivity and resiliency   Table IV. Three generators out of five were selected and the total generation capacity is 300k W. Also, nine out of 20 distribution paths were selected. Given that the reliability requirements of the loads (see Table I) are high, all loads are connected to two generators at least (L 1 is connected to all three generators), so the generation capacity is more than double.
The optimal solution of the GS&GLP is used in the PDD step to refine the distribution paths (build a power distribution topology). The reliabilities r sl of each path are used as reliability targets in the PDD step.

B. Power Distribution Design
Recall that there are three types of distribution components considered in the EPDS network structure: HV source matrix contactor (HV box), HV/LV dc converters, and LV dc bus. The source matrix contactor (HV box) allows power generation transfer without cross-connecting generators. The HV/LV dc converters are assumed to be of the dual-active bridge (DAB) type and can be connected to more than component on both sides. The LV buses can distribute power to multiple loads from more than one HV/LV dc converter. The power density ( p.d.), weight (w i j , w i ), fixed costs (c i j , m i ), variable costs (c kW i j , m kW i ) reliability (r i , r i j ), and maximum power for all connections i, j and all type of components are shown in Table V. The power density of the HV/LV converters is 6.7 kW/kg as previously stated. Although the characteristics for the connections i, j require the definition of voltage values, conductor types, insulation types, and so on, the values shown in Table V are assumed for illustration purposes.  Considering the optimal solution of the GS&GLP step shown in Table IV, the MILP formulations presented in Section V-D are used to synthesize an MEA EPDS architecture considering the platform abstractions of Table V. Several scenarios (consisting in different design requirements) were proposed in Table II, and these options are explored in this case study for the synthesis of resilient distribution architectures.
The set K of distribution paths connecting generators and loads (GS&GLP optimal solution in Table IV) is divided into two subsets: one that contains generators supplying noncritical loads (K NC ), and other that contains generators supplying critical loads (K C ). Therefore, connectivity and resiliency constraints applied on distribution paths differ depending on the critical load combination, as shown in the scenarios of Table II. The power flow P i j in any connection i, j consists in the summation of the power flows from distribution paths supplying critical and noncritical loads.
Scenario 1 (single path) results in the EPDS's topology of Fig. 6. The generators supply the LV dc loads by the series system HV box-HV/LV converter-LV bus; in other words, each distribution path supplying LV dc loads uses the same series system (L 4 is supplied by HV box). Fig. 6 illustrates the distribution paths (set K ).
Note that if a failure occurred in any component of the EPDS in Fig. 6, the power supply to LV dc loads is cut.  Given the lack of alternative paths to distribute power to the loads in Scenario 1 in Fig. 6, resilient designs are used. The resilient designs for a failure set correspond to the formulations in scenarios 2-7 of Table II, while the resilient designs with two disjoint paths correspond to the formulations in scenarios 8-14.
The EPDS's topologies that result from the synthesis of resilient designs for a failure set (scenarios 2-7 of Table II) are shown in Fig. 7 (critical loads are solidly colored, and noncritical loads have no fill). Each failure case is determined by row Failure set F of the corresponding column of Table II. Conv., HV box, and LV bus refer to single failures in power converters, HV boxes, and LV buses, respectively. In Scenario 2, the failure set F contains eight possible failures in distribution components: single failure on HV/LV converters (four in total) and single failure on HV boxes (four in total). That is why it has the largest number of HV boxes and HV/LV converters. In all cases where failure on HV/LV converter is considered (scenarios 2-7, except 6), the EPDS topology has at least two converters (redundant converters). The scenarios where failures on HV box are not considered (3 and 4), there is only one HV box (see Fig. 7). Scenario 2 in Fig. 7 (all loads are critical) is the heaviest and most expensive option, yet there is only one LV bus because failures in LV buses were not considered. The lightest (cheapest) EPDS is Scenario 6 (see Fig. 7), which considers failures in HV boxes only. This EPDS is appropriate if the HV loads (L 4 in this case) are the only critical loads. In the cases where LV loads are critical, (L 1 and L 3 on scenarios 2-5 and 7), weight and cost can be reduced with respect to the topology in Fig. 7. In general, some weight (and cost) savings are possible depending on the critical load combination and the predefined failure set F (different design requirements).
When a failure set cannot be determined, a resilient design with two disjoint-path formulations for critical loads can be used. The MEA EPDS topologies synthesized with two disjoint path formulations are presented in Fig. 8.
The two disjoint-path formulations allow the synthesis of an EPDS architecture consisting of two components of each type in all scenarios of Fig. 8 (except Scenario 11 in Fig. 8) because there is at least one LV load that is critical. The disjointness caused by Ù i j,k , Ù i,k in (7.1) and (7.2) allows the existence of separate distribution paths, i.e., two paths of the form HV box-HV/LV converter-LV bus for the critical LV loads and two paths with different HV boxes to supply critical HV loads (only where L 4 is critical, Scenarios 8, 10, 11, and 13). The reliability ê q LOAD,k of each path has been determined with the linear transformation of (8.1)-(8.3). Similar to the architectures in Fig. 7, some critical load combinations allow weight and cost savings without compromising the resiliency of the system. The lightest (cheapest) option can be obtained by setting HV loads as the critical loads, as shown in Fig. 8 (Scenario 11). For the rest of the cases where LV loads are critical, the system's cost is increased.
A summary of the results in terms of cost, weight, efficiency, losses, and reliability for each of the EPDS scenarios of Table II is presented in Table VI. This table also tabulates the solving time for comparison purposes. In addition, a graphical comparison to illustrate the potential of the proposed design framework to elaborate tradeoff analysis between cost, weight, and reliability for all scenarios of Table II is presented in Fig. 9. For each scenario, there is a line that connects the largest and lowest reliability provided by the optimal architecture.
Given that cost is considered proportional to weight, the main tradeoff analysis can be conducted with the cost versus reliability (failure probability to supply loads) of Fig. 9. For instance, below a cost of ∼500 k£, an MEA EPDS architecture is unable to achieve reliabilities below 1 − 1 × 10 −11 . However, most of the solutions provide at least reliability between 1 − 1 × 10 −8 and 1 − 1 × 10 −4 in a specific load terminal.   Table VI and Fig. 9, the following conclusive remarks apply the following.
1) In all cases, a minimum reliability level was achieved, i.e., r ≥ r TARGET,l as required by (1.3). 2) Although Scenario 1 achieves minimum reliability at a minimum cost, no resiliency is provided. 3) In general, the EPDSs synthesized to overcome failures from a failure set have higher reliabilities than the EPDSs synthesized with two disjoint-path formulations. 4) The EPDSs built with two disjoint paths have slightly higher costs compared with EPDSs synthesized from resilient designs for a failure set. 5) Scenarios 6, 11, and 13 are the most economical because the HV load (L 4 ) is set to be critical. HV loads require no power conversion, unlike LV loads that require at least one power conversion stage. 6) Scenarios 3-5, 7, and 9 are the most economical in the case that a set of LV loads (L 1 and L 3 ) are critical. The costs increase due to the power conversion stage required. 7) Scenario 14 has one critical LV load (L 1 ), and its topology's cost is slightly less expensive than having two critical LV loads, including L 1 , as in Scenario 9. However, the lower the power requirements of the LV loads, the lower the cost is, as can be seen from the results of Scenario 12. 8) The solving times of the resilient designs for a failure set are higher (on average) than the resilient designs with two-disjoint paths designs. This is due to the higher number of constraints per failure case. Finally, there are a number of opportunities with the optimal MEA EPDS architectures of Figs. 7 and 8. Because these optimal architectures were originated from different requirements established on Table II, there is no further selection of an optimum but a careful assignment of any of these architectures to an MEA application that needs a specific performance. For instance, the topology of Scenario 6 suits best when an HV load is critical and all the LV demand can be shed. The optimal architectures found in this article resemble the results found in [10] and [57] (topology optimization) and correspond to similar network structures found in [4], [16], and [54]. However, the design framework presented allows the designer to explore design space and investigate the optimum EPDS for a set of requirements or even perform a tradeoff analysis for several sets of requirements, as evidenced in Table VI. In conclusion, the reliability-based MILP network design formulations of Section V have been used to synthesize an MEA EPDS architecture for a small aircraft application. The design framework comprises two steps: GS&GLP and PDD. Although single-path formulations comply with minimum reliability, resilient formulations enable the EPDS to route power from generators to loads through alternate paths. Resilient designs for a failure set or two disjoint paths on critical loads were formulated. In addition to the load requirements, the EPDS architecture also depends on the resilient requirements and the critical load combination. Hence, an optimal EPDS's architecture can fit an MEA application depending on the requirements. As a design exercise, Table VI presents a solution palette for different scenarios of the case study. Loads that require no power conversion stages will contribute to having a lighter and more economical MEA EPDS, unlike the LV loads that add a higher number of components and, consequently, require a heavier (and costlier) EPDS. The design formulations presented in this article allows the synthesis of more complex architectures, e.g., considering energy storage, different levels of load criticality, ac and dc conversions, and several levels of power conversion. Further refinement steps for defining distribution component technology selection and sizing will be explored in future research works.

VII. CONCLUSION
The synthesis of an MEA EPDS architecture has been proposed by employing a PBD-inspired design framework that relies on reliability-based MILP network design formulations. The proposed design approach allows handling of the design's complexity by dividing the architecture synthesis into two steps, GS&GLP and PDD, supported by the relation between weight, cost, efficiency, and reliability for aircraft electrical systems. These steps are solved sequentially using linearization techniques and MILP formulations that model resiliency in an efficient manner in order to satisfy the design's reliability requirements. Resiliency is formulated as a group of constraints that ensure EPDS power availability in critical loads, either surviving a failure set or assigning two disjoint paths for critical loads. A case study for an MEA application has shown that the optimal EPDS depends on the resiliency requirements and the critical load combination, from which several optimum architectures can be appropriately assigned to an MEA application that requires such performance, and in some cases, weight and cost reductions are possible. Future research will be committed to formulating further refinement steps to synthesize platforms from the optimal MEA architecture for closer implementation to an actual MEA EPDS. APPENDIX A generator's efficiency η can be written as a relation between its mechanical input and its electrical output From (i.1), the generator's losses are Let a generator s have a power rating P G s , the total supplied load of l L l y sl (output), and a loading factor β s = ( l L l y sl )/(P G s ). The efficiency characteristic of this generator can be expressed either in terms of the power supplied (output) or its loading factor β s [see Fig. 1(b)]. Considering an efficiency η s (in %) in terms of the generator's loading factor β s , the generator's losses η LOSS s (in kW) can be written as follows: