**6. Evaluation strategy**

The open‐loop model (2) of UH is unstable and the actuator outputs are limited. Thus, the only regional stability of UH can be guaranteed and the stability region is determined by the system structure and actuator constraints [16]. In other words, if the states of UH are inside the stability region, the UH would be of safety; otherwise, the UH may be in danger. Obviously, after actuator fault occurrence, actuator efficiency will be reduced. Hence, the safety region of the postfault system will be different with the fault‐free case as shown in **Figure 6(a)**. Suppose that the safety region of the fault‐free system with a fault‐free controller is *Ω*ff and the postfault system with a FTC controller is *Ω*pf as shown in **Figure 6(b)**; furthermore, the initial state of the fault‐free system is *x*0∈*Ω*ff and an actuator fault is detected at *k <sup>f</sup>* <sup>1</sup>. Clearly, the state *x*(*k <sup>f</sup>* <sup>1</sup>) is outside the safety region of the postfault system *Ω*pf so that the postfault system may be unstable (as shown by state trajectory *x*(*<sup>k</sup> <sup>f</sup>* <sup>1</sup>)*<sup>x</sup>* ′ (*k <sup>f</sup>* <sup>1</sup>)) at last. That is to say, the actuator fault cannot be compensated. In contrast, suppose that the other fault is detected at *k <sup>f</sup>* <sup>2</sup> and *x*(*k <sup>f</sup>* <sup>2</sup>)∈*Ω*pf is valid, which represents that the fault can be compensated. However, the states in steady case are also determined by references such as *x <sup>f</sup>* 1 which may be outside the safety region *Ω*pf. Obviously, this reference is unreachable and tracking such reference may lead UH unsafe (as shown by the state trajectory *x*(*<sup>k</sup> <sup>f</sup>* <sup>2</sup>)*<sup>x</sup>* ′ *<sup>f</sup>* 1). Hence, reference reachability should be analyzed before system motion and a new reachable reference is necessary. Compared with *x <sup>f</sup>* <sup>1</sup>, *x <sup>f</sup>* 2 may be more reasonable which is inside *Ω*pf.

**Figure 6.** A sample of safety region of fault‐free and postfault system in 2D state space.

According to Theorem 2, the safety region S is an invariant set. Clearly, a postfault system will be safe if initial states are inside the safety region S *<sup>f</sup>* of the postfault system. In this way, the initial states of the postfault system can be evaluated. Second, the steady states will be analyzed. In steady‐state case, actuators are not expected to be saturated so that the remaining efficiency of actuators can be used for disturbance defence. Hence, the original reference should be inside the reachable set of the postfault system such as ref∈Srf, where Srf is the reachable set of the postfault system; otherwise, the original reference ref is not reachable and tracking the original one may lead UH unsafe. The reason is that the actuator efficiency is reduced in the postfault system and tracking unreachable reference will lead fault‐free actuator saturated which implies that UH cannot respond to control signal correctly. Under this condition, a new optimal reference is required which can be calculated by the trajectory replanning approach. In other words, if the original reference is not reachable after detecting the actuator fault, the ISBP approach should be called to calculate new trajectory and controller reference based on the postfault dynamic model of UH.
