Formal methods require a comprehensive specification. Usually, if you have a specification comprehensive enough for formal verification, you already have 90% of the benefits, which is why it's (so far) only really useful in safety critical applications with a very small scope. I'm not going to take a huge risk in betting that the postal service didn't have anything resembling a serious spec in this case.
