Corrections Corrective Preventive Actions

Thank you for your question.
The further steps that you refer to (e.g. related processes or same process for different car) would, indeed, be preventive action. You are correct there. There is no limit to the number or extent of preventive actions in response to a root cause and in the medical device field manufacturers are expected to look at the reported incidents from other manufacturers and implement measures to prevent similar incidents with their own products, or even different incidents resulting from the same root cause. The same is true in the auto industry.
One root cause can have multiple effects which is why we also do Failure Mode Effects Analysis (FMEA).
Unlike FMEA, root cause analysis is always conducted on an incident that has already happened. That does not mean that dealing with a root cause can only be corrective action. In addition to preventing similar or related issues from occuring in the first place, the most proximate preventive action will always also prevent recurrance of the original issue. It's the thing or process which, if it had been in place, would have prevented the incident in the first place.
In general I have found that preventive action requires change to a process or procedure that has bearing both upon and beyond the particular incident or failure.

Thanks for the reply. That makes total sense. I always coach my team that using the 5 whys (or cause map) they should try to get to the root cause that when fixed will not only address the current failure but other related possible failures as well. I always considered this preventive action as but others have told me its still corrective but i think it is just semantics.
I have question for you. What would you consider the difference is between a non-conformance report and a CAPA. Our eQMS has separate modules for these 2 things even though they are related. We are using the CAPA module for investigations resulting from risk assessments (preventive actions) or for investigations that need to be conducted at either a higher level (ie. gaps or issues that involve more than just my site) or other departments (ie. IT, security, etc..) - areas that my department doesn't really control. Thoughts?

“When I use a word,” Humpty Dumpty said, in rather a scornful tone, “it means just what I choose it to mean-neither more nor less.” “The question is,” said Alice, “whether you can make words mean so many different things.” - Lewis Carroll
The difference between an NCR and a CAPA is whatever your organization defines these to be. You could be getting into the realm of Humpty Dumpty in Alice in Wonderland, but the convention seems to be that an NCR (or NC) simply and accurately describes a problem in terms of a requirement or standard that was not fulfilled. Anyone with the required training should be able to raise an NCR, not just in audits.
If the risk assessed according to the organisation's process is such that a simple correction is inadequate in dealing with the NCR, then a CAPA process is initiated. But the organisation has the final say here, provided they 'say what they do and then do what they say.'